[LINK] certificates

Roger Clarke Roger.Clarke at xamax.com.au
Sun Jan 14 19:05:48 AEDT 2007


At 17:29 +1100 14/1/07, Danny Yee wrote:
>The biggest problem is that users simply ignore both ssl encryption
>and the existence of certificates, signed or otherwise.  I don't know
>what can be done about this.

Those of us who know what certs are supposed to do, and what those 
warnings are supposed to mean, also ignore them.

We do so because we know that they have never meant what they're 
supposed to mean, and they never will.

Here's what I posted to some colleagues a couple of weeks ago:

>Date: Sat, 30 Dec 2006 12:20:03 +1100
>
>Re Extended Validation SSL Certificate Vetting Process:
>http://www.cabforum.org/vetting.html
>
>Sounds like something various of us might have written c. 1998?
>
>As per usual, the difficult bit has been ducked:
>"The CA must take all steps reasonably necessary to verify that the 
>entity named in the EV Certificate has authorized the issuance of 
>the EV Certificate".
>
>But is there anything that the relying party can actually rely on, 
>and can actually seek recompense for in the event that it proves not 
>to be correct?
>
>Ah, here we are, at 37(a)(1):
>http://www.cabforum.org/EV_Certificate_Guidelines.pdf
>"limitations on the CA's liability MUST ... be specified in the CA's 
>EV Policies, and ... in no event shall the CA seek to limit its 
>liability to Subscribers or Relying Parties for legally recognized 
>and provable claims to a monetary amount less than $2,000 per 
>Subscriber or Relying Party per EV Certificate".
>
>In other words, "we stand by our certification to the level of ... 
>the administrative costs of processing your letter of complaint".
>
>It *looks* like progress;  but it still hasn't solved the basic problem.


Danny continued:
>A smaller problem is that it's trivial to get a signed certificate ...

A nice way to put it.


>  ... that verifies that www.westpac-ultrasecure.com really does belong to
>"WP Inc" or some other such entity.  Maybe there should be some kind
>of certification restricted to Australian financial institutions
>and managed by ASIC or the RBA.  (Of course this won't help with
>transations with merchants.) ...

That's called Identrus within the banking community, and they're 
(still?  again?) trying to sell it to merchants under the brandname 
IdentTrust:
http://www.identrust.com/

Identrus works within the closed community of financial institutions 
that have full-time IT staff, who have lots of expertise and who they 
can give lots of training, and that can afford the horrendous costs 
involved.

Identrus doesn't work *outside* such circumstances.

Remember SET?  It was pretty comprehensive, and heavy duty;  and in 
order to work (in a technical sense) it was so heavy duty that it 
could never work (in a commercial and strategic sense).

Locally, there was a project called ANGUS c. 1999-2001:
http://www.agimo.gov.au/resources/ppt/2001/010517dm?result_page=14 
http://www.agimo.gov.au/resources/ppt/2001/010517dm?result_page=13
http://www.agimo.gov.au/resources/ppt/2001/010517dm?result_page=20
http://www.agimo.gov.au/resources/ppt/2001/010517dm?result_page=31

As far as I can tell, Angus didn't make much progress (although to 
the credit of our sometime client, then NOIE now AGIMO, the 
historically important material is still web-accessible).


-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW



More information about the Link mailing list