- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 09 Jul 2007 23:07:52 +0100
- To: Serge Egelman <egelman@cs.cmu.edu>
- CC: Johnathan Nightingale <johnath@mozilla.com>, W3C WSC Public <public-wsc-wg@w3.org>
Serge, While I think we all believe that the presentation of security indicators has been done badly over the last decade, I do not believe that one can therefore say that the security analysis that underlies current implementations is wrong. I also don't find a scattergun set of arguments to the effect that "PKI is not perfect, let's throw up our hands" are at all convincing. In particular - - "No information available" is IMO overwhelmingly more likely than finding a CRL or getting any OCSP response, and ignoring this is not an option for anyone who cares about revocation - Beginning an argument with a "what about $20 certs" but following up with "let's ignore the $$" seems to me like a bad way to argue - your argument is either about low assurance or it isn't - Saying that anything at all "require(s) little vetting by a CA" shows a misunderstanding of PKI, where CAs are not required to do anything, but instead declare via CP/CPS what it is that they claim to do (exceptions to this are connected to legally significant signatures, which are very rare and probably out of scope of this WG and certainly unrelated to TLS); while you may disagree with aspects of how PKI is defined/operated it is not ok to ignore those definitions/operational aspects Basically, I think you need to make a *much* better constructed argument, that needs to be demonstrably well-informed about the details of PKI, if you are going to be convincing in terms of the presentation of revoked certs or SSCs. Stephen.
Received on Monday, 9 July 2007 22:06:11 UTC