[cryptography] Request - PKI/CA History Lesson
marcus.brinkmann at ruhr-uni-bochum.de
Fri May 2 08:42:01 EDT 2014
On 05/02/2014 01:33 PM, ianG wrote:
>> For me the sentence, “I had little choice but to trust X” is perfectly
> Yes, that still works. It is when it goes to "no choice" that it fails.
> For example, I have no choice but to use my browser for online banking.
> I'm too far from a branch, and their phone service is mostly about
> telling me how to use the browser.
We must live in very different parts of the world, though. In Germany,
if I am doing online-banking, I have to follow the rules set by the
bank. The bank requires me not to pass the PIN to anybody, to check the
browser status bar, to protect my TAN list, etc. All that good stuff.
But I don't have to trust it. When I follow the rules, and my money is
stolen, the bank has to put up for it. I am in the clear (minus the
So, I don't have to trust it, I just have to use it as it is provided to
me. Moral dilemma avoided.
For the bank, the story is a different one altogether. They don't care
about IT security, or security research, or PKI, or CA, or browsers, or
the users, or the meaning of the word "trust". They care about profit
margins and fraud quota, and if the fraud gets too much they ask a
simple question: "What can we do that costs us as little as possible to
get the fraud quote down to the X percent that we allow?" And if that
means bumping the key size from 1024 to 1025 bits, then we get 1025 bits
until the next bump.
So, frankly, what's the big deal? We have credible end-to-end security
story lines if your life depends on it (ask Snowden). For everything
else, we have a bunch of patchworks, and insurances, and adjustable
tolerances to protect against fraud. Not absolutely, but enough to keep
the machine running. From a manager perspective, all is good and dandy,
and nevermind the pain that is endured by the workers in the engine room.
As long as you live in a country that makes the people responsible for
the system pay for any damages, it's just not that big a deal, unless
you are passionate about IT security, or are suffering from some other
illness to similar effect :).
More information about the cryptography