[cryptography] PKI - and the threat model is ...?

Ian G iang at iang.org
Mon Sep 12 14:35:13 EDT 2011

On 13/09/2011, at 0:15, "M.R." <makrober at gmail.com> wrote:

> In these long and extensive discussions about "fixing PKI" there
> seems to be a fair degree of agreement that one of the reasons
> for the current difficulties is the fact that there was no precisely
> defined threat model, documented and agreed upon ~before~ the
> "SSL system" was designed and deployed.

There is a pretty good effort to do exactly that, here:


After reading that, you might try my critique:


I believe Eric's attempt to be a good historical attempt to document it. As he says himself, he wasn't there, and worked from other sources. I've never heard anyone dispute his account.

> It appears to me that it is consequently surprising that again,
> in these discussions for instance, there is little or nothing
> offered to remedy that; i.e., to define the threat model
> completely independent of what the response to it might or
> might not be.

Close. I would say that the issue above is more that the incumbents refuse to be drawn on which threat model they are using today. That's because each of the models can be shown to have such grave flaws as to send responsible architects back to the drawing board.

Eg., You will have seen discussions this week on exactly whether the system protects credit cards, or "introduction", or something else?

So, we enter a game, which is primarily about claiming X, showing !X, then claiming, "but if Y" followed by !Y, and then, "no, but X."

One day after 2037, we'll get to the point that everyone who was alive in 1994 agrees that the threat model for SSL was bungled. In another net-century, we might also have overcome the drawbacks of those times, which are that approximately everyone knows how to ask "what's your threat model?" but approximately no-one knows how to develop a good one.


More information about the cryptography mailing list