On Fri, 2014-06-20 at 22:58 +0200, Christoph Anton Mitterer wrote: > > But after you've sent them money or downloaded their software > > you have formed a trust relationship with whoever controls that cert far > > stronger than the assurances X.509 provides. That is true in the > > positive sense if you receive your goods after paying, or the software > > you downloaded works well, or in the negative sense if the reverse > > happens. Regardless, next time you deal with the entity that controls > > the www.shop.com cert, you now know far more about them than the X.509 > > PKI does. > I don't quite understand what you mean here. Sorry for not being clear. I was comparing the relative trustworthiness of two certificates. One is a CA - well an unknown CA among the multitudes in your browser. The other is a web store. The store is utterly known to you - apart from the fact that you sent them some money on the promise they would deliver goods advertised on their web site, and they delivered on that promise. However, during that transaction they gave you a certificate on the assumption is they control the private key to that certificate. The situation now is you wish to purchase from this person again. As before you must interact with them over the web. When you go do www.shop.com, the only assurance you have you are dealing with the same mob is the certificate you choose. I was making (I hope by now obvious) point that you would trust the shop's certificate more. > > The bug is the current system forces you to reply on X.509 for all > > future contacts, even though you have much better source of trust. > > During that initial contact the protocol could have arranged for you to > > download a cert signed by the owners of shop.com themselves, so you > > could reply on it in the future instead of X.509. Suddenly all X.509 > > issues, like MITM attacks, disappear. > Well more or less... this *is* the case ... or at least it can be done > when you use something like Certificate Patrol. > Then you verify whether it's still the same cert that you communicate > with (and only the shop owner should have the key). > > But reality is: It doesn't really help you at all since: > - the attacker could have MitM you in the first place and even when you > - you loose the whole framework that allows key/cert changes > (renewals/revocations), etc. Does it take only one counter example to disprove this? If so, the DigiNota attack is it. Quoting Wikipedia [0]: "300,000 Iranian Gmail users as the main target of the hack (targeted subsequently using man-in-the-middle attacks), and suspected that Iranian government was behind the hack" In all likelihood, people died because of this. But consider: these people were existing Gmail users. Under my scheme, they would have ceased needing to use the X.509 PKI infrastructure long ago, long before the leaders of Iran realised they needed to compromise the X.509 PKI infrastructure to suppress their dissent.
Attachment:
signature.asc
Description: This is a digitally signed message part