potential new IETF WG on anonymous IPSec

John Kelsey kelsey.j at ix.netcom.com
Mon Sep 20 06:44:25 PDT 2004


>From: "Major Variola (ret)" <mv at cdc.gov>
>Sent: Sep 17, 2004 10:27 PM
>To: "cypherpunks at al-qaeda.net" <cypherpunks at al-qaeda.net>
>Subject: Re: potential new IETF WG on anonymous IPSec

>At 06:20 AM 9/17/04 +0000, Justin wrote:
>>On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote:
...
>>Oh, come on.  Nothing can be absolutely trusted.  How much security is
>>enough?

>>Aren't the DOD CAs trusted enough for your tastes?  Of course, 'tis
>>problematic for civilians to get certs from there.

>DoD certs are good enough for DoD slaves.  Hospital certs are good
>enough for their employees.  Joe's Bait Und Tackle certs are good enough
>for Joe's employees.  Do you think that Verislime is good enough for
>you?

You seem to have rediscovered the fact that crypto can move trust around, but can't create any.  You have to decide to trust someone for it to be useful.  The great problem with practically using this stuff is getting someone that you're comfortable trusting, who can then use crypto to move the trust around in a sensible way.  

The condition necessary for Verisign certificates to have a lot of trust, to me, is for the appearance of a fraudulent Verisign certificate to be a major scandal, leading to the CEO getting canned, the stock price dropping by some large fraction, and a huge fall-off of business for their CA.  When that isn't the case (for the high security certs; it's clearly silly to expect it for low-security ones), the CA doesn't have as much incentive as I'd like to be careful about forgeries.  You'd like the exposure of a fraudulent certificate signed by a CA to have the same kind of effect as the exposure of a bank being unable to produce the money a depositor demands.  

Fraudulent certificates issued for any purpose--whether furnishing fake IDs to FBI agents, or to Al Qaida terrorists, or to random Nigerian-scam operators--leave a permanent trail; the recipient of the certificate can show it around when he discovers it's fraudulent.  If the last step of this protocol for the CA is "and then you go out of business," the incentives not to issue fraudulent certificates looks right.  

--John





More information about the cypherpunks-legacy mailing list