[LINK] certificates
Roger Clarke
Roger.Clarke at xamax.com.au
Sun Jan 14 19:05:48 AEDT 2007
At 17:29 +1100 14/1/07, Danny Yee wrote:
>The biggest problem is that users simply ignore both ssl encryption
>and the existence of certificates, signed or otherwise. I don't know
>what can be done about this.
Those of us who know what certs are supposed to do, and what those
warnings are supposed to mean, also ignore them.
We do so because we know that they have never meant what they're
supposed to mean, and they never will.
Here's what I posted to some colleagues a couple of weeks ago:
>Date: Sat, 30 Dec 2006 12:20:03 +1100
>
>Re Extended Validation SSL Certificate Vetting Process:
>http://www.cabforum.org/vetting.html
>
>Sounds like something various of us might have written c. 1998?
>
>As per usual, the difficult bit has been ducked:
>"The CA must take all steps reasonably necessary to verify that the
>entity named in the EV Certificate has authorized the issuance of
>the EV Certificate".
>
>But is there anything that the relying party can actually rely on,
>and can actually seek recompense for in the event that it proves not
>to be correct?
>
>Ah, here we are, at 37(a)(1):
>http://www.cabforum.org/EV_Certificate_Guidelines.pdf
>"limitations on the CA's liability MUST ... be specified in the CA's
>EV Policies, and ... in no event shall the CA seek to limit its
>liability to Subscribers or Relying Parties for legally recognized
>and provable claims to a monetary amount less than $2,000 per
>Subscriber or Relying Party per EV Certificate".
>
>In other words, "we stand by our certification to the level of ...
>the administrative costs of processing your letter of complaint".
>
>It *looks* like progress; but it still hasn't solved the basic problem.
Danny continued:
>A smaller problem is that it's trivial to get a signed certificate ...
A nice way to put it.
> ... that verifies that www.westpac-ultrasecure.com really does belong to
>"WP Inc" or some other such entity. Maybe there should be some kind
>of certification restricted to Australian financial institutions
>and managed by ASIC or the RBA. (Of course this won't help with
>transations with merchants.) ...
That's called Identrus within the banking community, and they're
(still? again?) trying to sell it to merchants under the brandname
IdentTrust:
http://www.identrust.com/
Identrus works within the closed community of financial institutions
that have full-time IT staff, who have lots of expertise and who they
can give lots of training, and that can afford the horrendous costs
involved.
Identrus doesn't work *outside* such circumstances.
Remember SET? It was pretty comprehensive, and heavy duty; and in
order to work (in a technical sense) it was so heavy duty that it
could never work (in a commercial and strategic sense).
Locally, there was a project called ANGUS c. 1999-2001:
http://www.agimo.gov.au/resources/ppt/2001/010517dm?result_page=14
http://www.agimo.gov.au/resources/ppt/2001/010517dm?result_page=13
http://www.agimo.gov.au/resources/ppt/2001/010517dm?result_page=20
http://www.agimo.gov.au/resources/ppt/2001/010517dm?result_page=31
As far as I can tell, Angus didn't make much progress (although to
the credit of our sometime client, then NOIE now AGIMO, the
historically important material is still web-accessible).
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
More information about the Link
mailing list