Transport-level encryption with Tcpcrypt
Transport-level encryption with Tcpcrypt
Posted Aug 26, 2010 15:39 UTC (Thu) by zooko (guest, #2589)In reply to: Transport-level encryption with Tcpcrypt by djao
Parent article: Transport-level encryption with Tcpcrypt
Now hold on there, mister. The PKI paradigm in which public keys are supposed to be vetted by a centralized trusted third party can be blamed squarely on the cryptographers who invented public key encryption in the first place.
The reason Mozilla and every other user-facing app has this stupid design is a direct consequence of them trusting in cryptographers to give them good advice about security distributed systems design.
(Now granted, we all should have known at the start that cryptographers are the wrong people to go to for secure distributed systems design.)
Anyway, I can't hold silent while you reverse the history and saying that application hackers like the Netscape engineers are the ones to blame when they should have listened to cryptographers. That's backward! They did listen to cryptographers, and that's how we got here!
Since then a lot of distributed systems hackers (myself included) have pushed alternative models instead of the PKI model, and more recently (*after* we distributed systems hackers made significant progress) cryptographers like Prof. Boneh have started working on it too.
Posted Aug 26, 2010 15:49 UTC (Thu)
by Trelane (subscriber, #56877)
[Link] (4 responses)
Posted Sep 4, 2010 4:52 UTC (Sat)
by zooko (guest, #2589)
[Link] (3 responses)
ftp://cag.lcs.mit.edu/pub/dm/papers/mazieres:thesis.ps.gz
ssh's model which Peter Gutmann calls the "baby-duck" model or "key continuity"
Web of Trust by Phil Zimmermann
The FreeS/WAN project by John Gilmore, Hugh Daniel et al., known as "Opportunistic Encryption".
The Capability Access Control model:
original:
http://www.cs.washington.edu/homes/levy/capabook/Chapter3...
modern synthesis:
http://erights.org/talks/thesis/index.html
Zooko's Triangle and Pet Names:
http://www.skyhunter.com/marcs/petnames/IntroPetNames.html
ZRTP:
http://en.wikipedia.org/wiki/ZRTP
Tahoe-LAFS:
(Those last three are self-citations.)
The overall theme here is that the good ideas about robust decentralized security came originally from systems researchers and hackers, not from cryptographers. Cryptographers traditionally focused on elegant mathematical models and (with almost no explicit justification) they settled on the globe-spanning, centralized, hierarchical security model that we all know and love today as "PKI".
Posted Sep 6, 2010 3:20 UTC (Mon)
by zooko (guest, #2589)
[Link] (2 responses)
Carl Ellison. Establishing Identity Without Certification Authorities. In Proc. Sixth USENIX Security Symposium, pages 6776, Berkeley, 1996. Usenix.
Again, this is a fellow who is basically a systems researcher, not a cryptographer as such (he has no publications in crypto theory to my knowledge), and he was publishing good ideas along these lines back in '96.
Oh, and of course Ron Rivest was doing a very similar thing in '96: http://people.csail.mit.edu/rivest/sdsi10.html
So there's the first example I can come up with of a bona fide cryptographer giving us something more robust and decentralized than the PKI model.
Posted Sep 6, 2010 3:26 UTC (Mon)
by zooko (guest, #2589)
[Link] (1 responses)
Matt Blaze, Joan Feigenbaum, and Jack Lacy. Decentralized trust management. In Proceedings 1996 IEEE Symposium on Security and Privacy, page (to appear), May 1996.
Also real cryptographers.
But I should emphasize that while SDSI and to a lesser extent PolicyMaker were influential, these were exceptions to the centralized hierarchical PKI model that dominated cryptography, and they were too late. By 1996 the damage had already been done when Netscape engineers baked the PKI model into their socket encryption protocol, SSL.
Posted Sep 6, 2010 3:27 UTC (Mon)
by zooko (guest, #2589)
[Link]
Okay I'm definitely going to stop following-up to myself now. :-)
Posted Aug 26, 2010 15:56 UTC (Thu)
by djao (guest, #4263)
[Link]
But Firefox was developed well after the rise of SSH, and the particular design decision that I am criticizing, namely the decision to change the warning dialogs for unauthenticated encrypted connections from one mild warning to three consecutive very big scary warnings, was made in Firefox 2.0, released in 2006. The Netscape engineers had valid excuses for their mistakes. The Firefox engineers do not.
Posted Aug 29, 2010 1:54 UTC (Sun)
by zooko (guest, #2589)
[Link]
Transport-level encryption with Tcpcrypt
Transport-level encryption with Tcpcrypt
Transport-level encryption with Tcpcrypt
Transport-level encryption with Tcpcrypt
Transport-level encryption with Tcpcrypt
I do not, did not, and never have faulted the original Netscape engineers. They did the best job that they could at the time. In particular, Netscape predates SSH, and SSH was the first program to demonstrate that crypto is much easier to deploy without a PKI. (SSH is also, incidentally, the only crypto protocol in history successful enough to have driven its corresponding unencrypted alternative to extinction.) I also fully agree that cryptographers are largely at fault for the colossal PKI mistake.
Transport-level encryption with Tcpcrypt
Transport-level encryption with Tcpcrypt