[cryptography] Request - PKI/CA History Lesson
iang at iang.org
Thu May 1 21:49:41 EDT 2014
On 1/05/2014 02:54 am, Jeffrey Goldberg wrote:
> On 2014-04-30, at 6:36 AM, ianG <iang at iang.org> wrote:
>> On 30/04/2014 02:57 am, Jeffrey Goldberg wrote:
>>> I have been using “trust” in a sort of behavioral way. For the sake of the
>>> next few sentences, I’m going to introduce some terrible terminology. “b-trust”
>>> is my “behavioral trust” which will defined in terms of “c-trust” (“cognitive”).
>>> So let’s say that A c-trusts B wrt to X when A is confident that B will act in
>>> way X. (Cut me some slack on “act”). A “b-trusts” B wrt to X when she behaves
>>> as if she c-trusts B wrt to X.
>>> So when I say that users trust their browsers to maintain a list of trustworthy
>>> CAs, I am speaking of “b-trust”. They may have no conscious idea or
>>> understanding what they are actually trusting or why it is (or isn’t)
>>> worthy of their trust. But they *behave* this way.
>> Right, but this is very dangerous. You have migrated the meaning of X
>> in the conversation.
>> Users trust their browsers to do the right thing by security.
>> Browsers trust their CAs to do the right thing by their ID verification.
>> This does not mean that users trust their browsers to maintain a list of
>> trustworthy CAs.
> OK. So let me back peddle on “Ann trusts her browser to maintain a list of
> trustworthy CAs” and replace that with “Ann trusts her browser to do
> the right thing”.
Right, with that caveat about choice.
(I should note here that this is an evolving model about what trust
requires. There are a bunch of things; I say choice, Dan Geer says
recourse. In the context of this discussion -- why users do not and
cannot trust the PKI -- we get the same result because as well as there
being no choice in security models, there is also no recourse when it
goes wrong. BTW, this is deliberate, it isn't as if you can suddenly
sit up and say "oh, Dan makes so much sense,let's add recourse to PKI...")
>> Trusting the browsers to "do the right thing" also includes the
>> possibility that the browsers throw the lot out and start again. Or
>> drop some CAs from the list, which they only do with small weak players
>> that won't sue them.
> I am not saying that her trust is justified.
Indeed. If there was trust (I believe there is none) then we could also
ask if it was justified, and that would be another tough battle to show.
>> Also, one has to again refer to the nature of trust. It's a
>> choice-based decision. Trust is always founded on an ultimate choice.
>> In this context, we would claim that users b-trust because they know
>> they can switch. With browsers they cannot switch.
> Their choice is to transmit private information using their browsers.
Right, there is always in economics some form of substitute. But
actually we've probably moved beyond that as a society. Many goods are
only available via webstores, many stores and banks are structured to
handle most of their traffic via web.
So such a choice is like saying that they can always go off-grid for
electricity. Sure they can, but we don't see that as a consumer choice
in terms of competition, it's only an emerging possibility.
> Sure, you and I know that what protects most people from credit card
> fraud has nothing to do with browsers, and all has to do with
> regulations of the liability. But I’ve encountered plenty of people over
> the last few weeks who have said that they will stop using their
> credit cards on-line because of heartbleed, while they continue to use
> entirely unprotected email for things that are genuinely sensitive.
> Their choice is to not participate in e-commerce.
Pretty drastic, huh? I would say that e-commerce is utility grade now,
so it isn't a choice you can really call a choice in competition terms.
It's unlike say iPhone v. Android. Or, recall back in the late 1990s,
when Bill Gates decided to invest a few 100m in Apple... because he
needed a choice to keep the DoJ off his back.
>> There isn't a
>> browser that will offer a different model (they cartelised in 1994,
>> basically). And there isn't a browser vendor that will take user input
>> on this question.
> Again, I’m not saying that the trust that the browser will do the right
> thing is justified.
> But the ordinary users isn’t going to curate their own list of CAs. Even
> the extraordinary user is only going to tinker with these under rare
> circumstances. (Indeed, a bug in Apple’s trust chain logic was only
> discovered when individual users chose to distrust DigiNotar and found
> that things didn’t work as documented.)
Right -- but again you are looking for choice *within the sold model*
where there is none. We are loudly agreeing that there is no choice
inside the model.
(Have a another peek at James' post. He shows one model to do this
entirely outside the model. That would be choice, and is rejected by
the browser vendors.)
>> So there is no choice for the user.
> Again, people can chose to not participate in the system. It is
> a choice that has a high cost. But because the alternative to trusting
> the browser to do the right thing is costly, it means that people will
> lower their threshold.
>> Which is where it gets more dangerous: we can frame the question to
>> gain the answer we want; but who are we framing the result for ?
> All I’m asking is that we consider the people we are asking to
> “b-trust” the system. Can we build a system that is b-trustworthy
> for the mass of individuals who are not going to make c-trust
Right, this is the question, how do we do that?
That is what Certificate Transparency and Perspectives seek to do, as
well as other thoughts. First they make the c-trust available by
setting up alternate groups and paths. Then the c-trusters develop their
followings of b-trusters.
I think when it comes down to it, it all depends on what you can slip
past the browser vendors.
>>> I see that you’ve written on financial cryptography. Well think about conventional currency works. For all its problems currency works, and it is a system that requires “trust”. But only a negligible fraction of the people who successfully use the system do so through c-trust.
>> Right. Now add in hyperinflation to the mix; how many people really
>> trust their governments to not hyperinflate? Only ones with no
>> collective history of it.
> Again, the point of that example was not to claim that people always
> put the appropriate amount of b-trust into a system, but simply that
> the on a day to day basis we all behave “as if” we trust things in the
> c-trust sense without that understanding.
Right. We all behave on a day to day basis "as if" we trust the thing.
I personally do not like calling that trust, for the simple reason that
the word is dangerously wrong, and if you want to design something for
the users, you need to be on a solid foundation.
> Or are you saying that we should insist that everyone develop a full
> and proper understanding of the system before using it?
No, that will never work, except in novels.
> I think we should recognize that the vast majority of humanity are
> not as intensely curious about the particular things that we in this
> discussion are curious about. I also think that they shouldn’t be
> excluded from secure communication because of that.
Right. There likely needs to be a group of c-trusters in the middle
that mediate the trust of the b-trusters.
>> Right, we're certainly in the world we are in. However, the problem
>> with this particular world is that it uses a language that is
>> 'constructed' to appear to require this particular solution. In order
>> to find better solutions we have to unconstruct the constructions in the
>> language, so as to see what else is possible.
> I think that we have a higher chance of success if we use a language that
> can talk about agents who do not have a deep or accurate understanding of
> why a system is supposed to work. And so, I think that, with some refinement,
> my notion of b-trust is worthwhile.
Yes it could be. It might not be applicable to web-PKI because the
vendors confuse X "do the right thing by users" with X' "maintain a good
But I think it is applicable in a general sense.
More information about the cryptography