[cap-talk] Firefox and identifiability, small steps or large

Ka-Ping Yee cap-talk at zesty.ca
Wed Feb 9 10:16:40 EST 2005 

On Wed, 9 Feb 2005, Ian G wrote:
> Ka-Ping Yee wrote:
> >Moreover, the entire TrustBar model places absolute trust in
> >centralized CAs even though there is no trust relationship between
> >the user and the CA.  So, depending on your opinion concerning CAs,
> >you might consider TrustBar to be solving the wrong problem.
>
> No.  What TrustBar does is permits a user to
> sign off on a cert.  TrustBar does not care
> whether that cert comes from a CA or not,
> but it will present that information.  It does
> however require (I think) an SSL connection
> with a cert to base its identity on.

Right.  I'm sorry; i should have stated what i meant more clearly.
Yes, the user can choose whether or not to trust the CA, and can
decide to trust "non-standard" CAs if he or she wants to.

However, my understanding of the paper is that the trust indicator
is based on the site certificate.  That means the user doesn't
really get the choice: the *site* gets to choose the CA under
which to present its certificate.  So it is entirely likely that
the user will want to establish (or already have) a trust relationship
with the site (e.g. his bank), but not have a trust relationship with
the CA.

To make this concrete, suppose that Alice doesn't trust VeriSign
because she knows that they have been screwing over the Internet
for their own selfish purposes.  But Alice wants to do business
with Paypal.  https://paypal.com/ presents a certificate signed
by VeriSign.  So if she wants to communicate securely with Paypal,
she is forced to trust VeriSign in order to do so.

For Alice to be placed regularly or frequently in the position of
having to rely on CAs that she doesn't know or doesn't trust is
dangerous.  If she is forced to do this often enough, she may
learn to ignore the CA logo.

> So in security terms, this is the SSH model,
> where the problem is divided and conquered.

It's not quite the same because of the addition of the CA, a CA
possibly unknown to the user.


-- ?!ng

More information about the cap-talk mailing list