After some years staring at this I've decided everything looks this way if you're used to the Web PKI. I tried very hard at first to assume that the PCI SSC, the EMV group, Wi-Fi Alliance and suchlike are doing great work but it's behind closed doors and so invisible to me. That theory has been challenged so thoroughly that I feel compelled to reject it.
Four things that stick in my mind in no particular order in relation to this realisation:
1. Peter Gutmann's out of the blue attack on ACME when it was relatively young. Gutmann's SCEP doesn't solve the problem, and at first my assumption was that he just needed to have that explained. After a while I realised that SCEP's success depends up not understanding what the real problem is, and SCEP is widely deployed outside the Web PKI largely _because_ choosing not to understand the problem suits those applications perfectly well. ACME can't displace SCEP in such applications but its existence might cause people to ask uncomfortable questions and perhaps Peter would (unconsciously?) rather that didn't happen.
2. Eric Rescorla's explanation of what a great environment HTTP (and particularly web browsers) is for a cryptographic adversary. In the literature imaginary bad guys often get to watch one party do a million message/reply back and forths, time them accurately and then send a million bytes of nonsense data to the target as setup for their attack, and in many applications this would be ludicrous in practice, the target would obviously react, how could you do cause anyone to send so many messages without attracting notice, let alone time them? So the attacks seem just theoretical. But on the web you can just write some Javascript and victims will happily run it for you on their computers.
3. Dean Coclin of Symantec and eventually the various banks/ payment providers etcetera that had hidden behind Symantec explaining that such institutions really _needed_ security, unlike mere cat blogs and search engines, but of course they couldn't be expected to react to notice of serious issues with an obsolete hash algorithm in a timely fashion, and so surely they ought to get an extra year or five to upgrade from SHA-1, and if they didn't there'd be dire consequences.
4. ETSI's work on the "Middlebox Security Protocol" aka ETSI TS 103 523. Obviously most of this happens out of view, so we have no idea if there's something productive being discussed - but they kindly (?) shared their work in progress documents with outsiders including the TLS Working Group and er... yuck. I mean... see for yourself:
After some years staring at this I've decided everything looks this way if you're used to the Web PKI. I tried very hard at first to assume that the PCI SSC, the EMV group, Wi-Fi Alliance and suchlike are doing great work but it's behind closed doors and so invisible to me. That theory has been challenged so thoroughly that I feel compelled to reject it.
Four things that stick in my mind in no particular order in relation to this realisation:
1. Peter Gutmann's out of the blue attack on ACME when it was relatively young. Gutmann's SCEP doesn't solve the problem, and at first my assumption was that he just needed to have that explained. After a while I realised that SCEP's success depends up not understanding what the real problem is, and SCEP is widely deployed outside the Web PKI largely _because_ choosing not to understand the problem suits those applications perfectly well. ACME can't displace SCEP in such applications but its existence might cause people to ask uncomfortable questions and perhaps Peter would (unconsciously?) rather that didn't happen.
2. Eric Rescorla's explanation of what a great environment HTTP (and particularly web browsers) is for a cryptographic adversary. In the literature imaginary bad guys often get to watch one party do a million message/reply back and forths, time them accurately and then send a million bytes of nonsense data to the target as setup for their attack, and in many applications this would be ludicrous in practice, the target would obviously react, how could you do cause anyone to send so many messages without attracting notice, let alone time them? So the attacks seem just theoretical. But on the web you can just write some Javascript and victims will happily run it for you on their computers.
3. Dean Coclin of Symantec and eventually the various banks/ payment providers etcetera that had hidden behind Symantec explaining that such institutions really _needed_ security, unlike mere cat blogs and search engines, but of course they couldn't be expected to react to notice of serious issues with an obsolete hash algorithm in a timely fashion, and so surely they ought to get an extra year or five to upgrade from SHA-1, and if they didn't there'd be dire consequences.
4. ETSI's work on the "Middlebox Security Protocol" aka ETSI TS 103 523. Obviously most of this happens out of view, so we have no idea if there's something productive being discussed - but they kindly (?) shared their work in progress documents with outsiders including the TLS Working Group and er... yuck. I mean... see for yourself:
https://docbox.etsi.org/CYBER/CYBER/Open/Latest_Drafts