[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Jul 14 00:15:06 EDT 2011


Ian G <iang at iang.org> writes:

>Microsoft have a big interest in bypassing the status quo, and they've tried
>several times.  But each time it isn't for the benefit of the users, more for
>their own benefit, in that they've tried to rebuild the security
>infrastructure with themselves in control.  (recall .net, InfoCard, Brands'
>patents, etc.)

Actually they do have one thing they've done that no other browser has, they
have, as of IE9, a single mechanism that goes beyond "has a certificate ->
good, no certificate -> bad" that all the other browsers use, which is their
SmartScreen reputation-based handling of executable downloads (not to be
confused with the mostly pointless blacklisting mechanism, which confusingly
is also called SmartScreen).  Unfortunately all the figures they give for its
effectiveness are yes-biased (what's in the other three sectors of the
contingency table?), and so far there hasn't been any rigorous assessment of
its effectiveness, but they are the only browser vendor that's even made an
effort to look beyond the cert/no cert boolean option.

(In addition, Infocard was an attempt at building a better
auth.infrastructure, not necessarily motivated by owning the market.  The
problem there was that it was sold as Microsoft Infocard, if they'd called it
OpenSomethingorother, say "OpenID", then no-one would have had a problem with
it).

Peter.



More information about the cryptography mailing list