Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

[Ron DuFresne <dufresne () winternet com>]

On Wed, 16 Feb 2005, Gwendolynn ferch Elydyr wrote:

> On Wed, 16 Feb 2005, bkfsec wrote:
> > The local BBB is accountable to local laws.  CAs are spread throughout the
> > world and are global in nature.  As a member of a local community, I can
> > choose to familiarize myself with those regulations, understand them, and use
> > them against the BBB if they violate their trust.  I can also choose to go on
> > a crusade against the local BBB.
> >
> > I think that deep down we're agreeing on the point that they're inherently
> > untrustworthy.  My point in saying "if you take my meaning" was to hi-light
> > that rather than focus on this relatively minor nitpicking of point.  I'm not
> > the first one in this thread to bring up the BBB.  So take your point up with
> > the person who did bring it up, please.
>
> Actually I'm just trying to be explicitly clear about the path that
> you're using for trust.  The BBB just happens to be the example that
> you'd used as an organization that you'd trust more than your average CA.
>
> As I'm reading you, you're saying that you:
>
>       (1) trust establishments that you can see and touch more
>               than you trust establishments that you can't see or touch.
>
>       (2) trust establishments that are bound by a legal system that
>               you're familiar with more than establishments that are bound
>               by a legal system that you aren't familiar with.
>
> IMHO the question is more about what your particular grounds for trust
> happen to be than whether CAs are all/partially/not trustworthy - or
> if the BBB in your area happens to be trustworthy.
>
> Personally I'd really debate the concept that physical proximity is
> in any respect grounds for trust - and that familiarity implies the same.
>
> I'd be far more inclined to suggest using consistent long term behaviour
> as a predictor - and implementing a system where significant incentives
> towards desired behaviour exist.

But do not "physical proximity" and "familiarity" not also imply that a
lengthy relationship is probable which would enable behavioural
observations of said length to determine it's consistency?  Somewhat like
the concept that a person gets better service from a smaller mom&pop shop
then they do in a superstore?


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.