[cryptography] Request - PKI/CA History Lesson

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Fri May 2 08:42:01 EDT 2014

On 05/02/2014 01:33 PM, ianG wrote:
>> For me the sentence, “I had little choice but to trust X” is perfectly
>> coherent.
> Yes, that still works.  It is when it goes to "no choice" that it fails.
>   For example, I have no choice but to use my browser for online banking.
>   I'm too far from a branch, and their phone service is mostly about
> telling me how to use the browser.

We must live in very different parts of the world, though.  In Germany, 
if I am doing online-banking, I have to follow the rules set by the 
bank.  The bank requires me not to pass the PIN to anybody, to check the 
browser status bar, to protect my TAN list, etc.  All that good stuff.

But I don't have to trust it.  When I follow the rules, and my money is 
stolen, the bank has to put up for it.  I am in the clear (minus the 

So, I don't have to trust it, I just have to use it as it is provided to 
me.  Moral dilemma avoided.

For the bank, the story is a different one altogether.  They don't care 
about IT security, or security research, or PKI, or CA, or browsers, or 
the users, or the meaning of the word "trust".  They care about profit 
margins and fraud quota, and if the fraud gets too much they ask a 
simple question: "What can we do that costs us as little as possible to 
get the fraud quote down to the X percent that we allow?"  And if that 
means bumping the key size from 1024 to 1025 bits, then we get 1025 bits 
until the next bump.

So, frankly, what's the big deal?  We have credible end-to-end security 
story lines if your life depends on it (ask Snowden).  For everything 
else, we have a bunch of patchworks, and insurances, and adjustable 
tolerances to protect against fraud.  Not absolutely, but enough to keep 
the machine running.  From a manager perspective, all is good and dandy, 
and nevermind the pain that is endured by the workers in the engine room.

As long as you live in a country that makes the people responsible for 
the system pay for any damages, it's just not that big a deal, unless 
you are passionate about IT security, or are suffering from some other 
illness to similar effect :).

More information about the cryptography mailing list