[cryptography] Diginotar Lessons Learned (long)

James A. Donald jamesd at echeque.com
Sat Sep 10 12:43:36 EDT 2011

On 2011-09-10 11:22 AM, Peter Gutmann wrote:
> Lucky Green<shamrock at cypherpunks.to>  writes:
>> We are also seeing a near universal call for "fixes" of the broken PKI
>> paradigm. I couldn't agree more that fixes - and indeed redesigns - are badly
>> needed and have been for some 15+ years. Pretty much since the day the word
>> PKI was coined. What I hear much more rarely are discussions if the proposed
>> fixes actually solve the problem.
> This is the problem with the mass of point solutions to various bits of PKI
> that are being proposed (including my own fix for OCSP).  Even if we fixed
> every piece of it, it would have close to zero effect on securing browser
> users, because browser PKI doesn't defend against anything that attackers are
> doing (insert standard refs to things like APWG data supporting this).  So we
> need to figure out what we're actually trying to achieve:
>    1. Fiddle with PKI because it's technical and fiddling with technology is
>       fun, and it's a convenient distraction from having to think about the
>       real problem.
>    2. Act to protect browser users, which has little to nothing to do with PKI.
> At the moment most (all?) of the response seems to be (1), "here's a flaw, and
> here's a proposed kewl technical thing to do to fix it".  So at the end of it
> all we may have a slightly less broken browser PKI, but the attackers won't
> even notice.
> We need to look at "how do we protect browser users" (thus<propaganda>my
> EuroPKI talk</propaganda>), not "how do we fix something that, even if it
> worked, wouldn't actually work".

Most attacks aim to obtain shared secrets, so, obviously, a major 
solution is not fixing PKI, but SRP

Email is the most insecure.  A very large proportion of attacks rely on 
email.  The ability to receive an email in clear is also extensively 
used as proof of identity, which would be broken were it not for the 
fact that lots of other things offer even better attacks.

After all these years, many users still have trouble realizing that an 
email ostensibly from so-and-so is not necessarily from so-and-so, so 
email has to be secured.  Since the overhead, inconvenience, and loss of 
privacy of getting one's true name certified by an authorized authority 
is unacceptable, that implies Zooko's triangle and/or global monitoring 
of key continuity.

Email goes through intermediaries, so suffers from inherent snooping, 
arbitrary and unpredictable file size limits, and the fact one can never 
really know if it has actually gone through.  What the intermediary 
should do is arrange for the parties to poke holes in each other's 
firewalls whenever both computers are online, thereby allowing the 
transmission of large and arbitrary content.

More information about the cryptography mailing list