[cabfpub] Localized CAs (was: Food for Thought)

Hill, Brad bhill at paypal-inc.com
Tue Aug 28 12:17:46 MST 2012


I'll also remind the list of my similar suggestion at the Norway meeting that browsers could use an algorithm similar to the anti-spoofing mechanism used today in some places to decide whether to display punycode or native scripts in the URL bar for IDNs: if you have the language pack installed/enabled at the OS level, show the native script, otherwise show punycode.

In this case, the root store could annotate certain CAs as doing business in a set of language-based locales, and offer an interstitial warning the first time a user visits a site certified by an authority outside of their normal linguistic area. If the user decides, yes, I want to accept certificates issued for the Chinese/Dutch/Spanish/whatever market, then that warning is never shown again for that language group.

I think a warning that only triggers when the actual condition is met, in-context, will be easier to "sell" to browsers and more usable than an out-of-context, install-time prompt to disable individual CAs.  99.9% of users have no idea what a CA even is, and they don't have the most helpful or meaningful names to most users - especially the ones outside your language.

The place where this breaks down, of course, is that (nearly) all CAs will want to participate in the .com / "global English" space.  You might convince a few CAs that it is in their own best interest to restrict themselves to their actual markets to reduce their value as targets of attack (this would've served DigiNotar well) but I wonder how many businesses would volunteer to be part of such a restriction, or how root store programs would adjudicate imposing and managing such restrictions.

-Brad

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Rick Andrews
> Sent: Tuesday, August 28, 2012 11:59 AM
> To: public at cabforum.org
> Subject: [cabfpub] Food for Thought
> 
> Forum,
> 
> I know this will be controversial, and I don't expect it to become a work item,
> but I wanted to throw out an idea for discussion.
> 
> CAs have taken a lot of heat for the "weakest link in the chain" failures that
> we saw last year. But one could argue that browsers are also at fault for
> creating a system in which all roots are automatically and equally trusted.
> 
> Like most US-based users, I never expect or need to trust any certificate
> issued by foreign, perhaps geography-based CAs like Chunghwa Telecom,
> CNNIC, Deutsche Telekom, e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,
> Generalitat Valenciana, Taiwan GRCA, Hellenic Academic and Research
> Institutions Cert. Authority, Hong Kong Post, Izenpe.com, NetLock
> Halozatbiztonsagi Kft., IGC/A, SECOM Trust Systems CO.,LTD., Sociedad
> Cameral de Certificación Digital, Staat der Nederlanden, Sociedad Cameral de
> Certificación Digital, Swisscom, TAIWAN-CA, Türkiye Bilimsel ve Teknolojik
> Araştırma Kurumu, or Unizeto Technologies S.A..
> 
> I see value in having the browser alert me (at install time or upgrade time)
> and say something like: "You appear to be based in the United States. It's
> recommended that you disable trust for Certificate Authorities that are
> foreign, if you never expect to visit web sites based in other countries.
> (Cancel) (Disable Trust)".
> 
> This may be challenging for Chrome, which doesn't own the root store, but
> there's probably a way to make it work.
> 
> I realize this may appear chauvinistic, but it can be country-specific at least for
> the few countries with the largest number of Internet users. Here's some
> statistics from http://www.internetworldstats.com/top20.htm:
> 
> 	TOP 5 COUNTRIES WITH HIGHEST NUMBER OF INTERNET USERS
> 
> #	Country or Region	Population, 2011 Est	Internet Users
> 	Penetration (% Population)
> -	-----------------	--------------------	--------------	--------------------------
> 1	China			1,336,718,015			513,100,000
> 		38.4 %
> 2	United States		  313,232,044			245,203,319
> 		10.8 %
> 3	India			1,189,172,906			121,000,000
> 		 5.3 %
> 4	Japan			  126,475,664			101,228,736
> 		 4.4 %
> 5	Brazil			  194,037,075			 81,798,000
> 		 3.6 %
> 
> This could also benefit millions of Chinese and Indian people who only visit
> Chinese or Indian web sites.
> 
> I'm sure that it would be difficult to make the UI broadly understandable, but
> the upside (IMO) would be much more limited impact of a future security
> breach at one of these smaller geography-based CAs.
> 
> As an alternative, I think there's value in providing some easy way to disable
> trust for all roots. I've done this for all my browsers, and then over time as I
> encounter each new one I make a conscious decision to trust it or not. I
> realize that only security geeks like me would do this, but it sure would be
> nice to make it easier than having to manually turn off the trust bits for all
> 300+ roots.
> 
> I welcome constructive criticism of this idea. Thanks,
> 
> -Rick
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list