[cryptography] GlobalSign temporarily ceases issuance of all certificates

Lucky Green shamrock at cypherpunks.to
Wed Sep 7 21:31:32 EDT 2011

On 2011-09-07 14:47, Ian G wrote:
[...the original
> security requirement was to protect Credit cards.  Only.  Which have a
> known value range, a loss model, an insurance model, institutions
> already at arms to protect Robbie Relier.
> So, when people started using SSL for other purposes (email, banking,
> but not porn) ... what happens?
> Well, the value changed (up or down?) ... and the insurance disappeared.

Ian raises a very important point here that is all too often overlooked.
The core security objective of SSL and the public CA model was to ensure
that online transmissions of credit card information is at least as
secure as offline transaction of credit card information.

The SSL/public CA model did an admirable job in that regard and Taher
ElGamal and Paul Kocher deserve full credit for this accomplishment.

Recall that credit cards have been subject, and remain subject, to
skimming by dishonest gas station attendants and restaurant waiters even
in a "card present" scenario. The credit card infrastructure risk
management procedures evolved under this evolutionary pressure and they
too are doing a good job at mitigating (not eliminating) this risk as
credit card association and processor annual reports readily attest.

Both on an overall amount and a percentage basis, losses from
intercepted https submissions of credit cards are far lower than losses
from "card present" or stored credit card information misuse.

SSL's design goals explicitly excluded protection against national
government security and law enforcement entities. Indeed, SSL original
design contains a wide selection of features exclusively geared towards
facilitating interception by governmental entities. RC4-40 being one
such feature.

With 40-bit crypto as the designated burst plate, there was no sound
engineering reason to fortify the rest of the plumbing to withstand the
pressures generated by national government level adversaries.

Alas, the design goals of SSL were soon (well, within 5-10 years)
forgotten and SSL and the public PKI infrastructure upon which it
depends started to be deployed protecting users subject to oppressive
regimes in which the threat model is resilience of the public PKI
infrastructure against national government adversaries eager to torture
and/or execute a subset of those for whom the design fails.

The SSL system, which today includes the TLS protocol and the notion of
global public CAs, was not designed to guard against this particular
threat. It should come as no surprise that the system does not defend
against such a treat.

If the treat is national government level adversaries, a different
system designed to withstand that threat is required. And thanks to Ian
for raising that point.

--Lucky Green

More information about the cryptography mailing list