[cryptography] Request - PKI/CA History Lesson

ianG iang at iang.org
Fri May 2 09:37:21 EDT 2014

On 2/05/2014 13:42 pm, Marcus Brinkmann wrote:
> On 05/02/2014 01:33 PM, ianG wrote:
>>> For me the sentence, “I had little choice but to trust X” is perfectly
>>> coherent.
>> Yes, that still works.  It is when it goes to "no choice" that it fails.
>>   For example, I have no choice but to use my browser for online banking.
>>   I'm too far from a branch, and their phone service is mostly about
>> telling me how to use the browser.
> We must live in very different parts of the world, though.

We do.  But to some extent it is a constructed example.  Point being
that choice is not always there, and it's not always easy to isolate
quite whether choice is sufficient or not.

Which means it is easy to manipulate.

Which means that if you are in Germany, it probably makes little sense.
 Whereas if you are in US of A, it probably is a done deal that the bank
is trying to manipulate you to be stuck in an unfair deal.

> In Germany,
> if I am doing online-banking, I have to follow the rules set by the
> bank.  The bank requires me not to pass the PIN to anybody, to check the
> browser status bar, to protect my TAN list, etc.  All that good stuff.
> But I don't have to trust it.  When I follow the rules, and my money is
> stolen, the bank has to put up for it.  I am in the clear (minus the
> paperwork).
> So, I don't have to trust it, I just have to use it as it is provided to
> me.  Moral dilemma avoided.

You have recourse, right?

In UK, there is a case where the bank checked a transaction, and
discovered that the person trying to make a transaction (buying a rolex
in a jeweler's shop) provided unsure answers to the questions.  E.g., in
answer to "how long have you had the account?" he answered "all my
life."  The correct answer was 4 years.

The bank let the transaction happen, it was fraud.  The judge and the
appeal court both ruled the bank had done the right thing.


So yeah, people live in different worlds.

> For the bank, the story is a different one altogether.  They don't care
> about IT security, or security research, or PKI, or CA, or browsers, or
> the users, or the meaning of the word "trust".  They care about profit
> margins and fraud quota, and if the fraud gets too much they ask a
> simple question: "What can we do that costs us as little as possible to
> get the fraud quote down to the X percent that we allow?"  And if that
> means bumping the key size from 1024 to 1025 bits, then we get 1025 bits
> until the next bump.
> So, frankly, what's the big deal?

I was there when the MITB thing swept through the European banking
scene.  There was outright fear in the banks.  They were terrified.  But
in the end, they knuckled down and pushed out the two-factor thing that
you mentioned earlier.


The point is:  *the European banks responded*.  They have a feedback
loop.  They took responsibility.

E.g. (2), there is no phishing in Europe, more or less.  Why is that?

Over in USA, no such.  That's the big deal.  Where is web-PKI done?  In
the USA, according to USA rules, USA thinking, and USA-style liability

> We have credible end-to-end security
> story lines if your life depends on it (ask Snowden).  For everything
> else, we have a bunch of patchworks, and insurances, and adjustable
> tolerances to protect against fraud.  Not absolutely, but enough to keep
> the machine running.  From a manager perspective, all is good and dandy,
> and nevermind the pain that is endured by the workers in the engine room.
> As long as you live in a country that makes the people responsible for
> the system pay for any damages, it's just not that big a deal,

That point, right there.

> unless
> you are passionate about IT security, or are suffering from some other
> illness to similar effect :).



ps; by Europe, I mean the geographically connected part, not the
fogginess over the channel.

More information about the cryptography mailing list