[cabfpub] Food for Thought

Erwann Abalea erwann.abalea at keynectis.com
Tue Aug 28 12:54:09 MST 2012


Bonsoir,

Controversial topic, for sure.

Are you proposing some sort of "local Internet", where you can only 
trust what is geographically around you? Are you proposing some kind of 
dichotomy, with good CAs and grey+bad CAs?

I think your scenario is biased. You're surfing from the US, and 
probably the majority of the sites you're using daily are also US based 
ones.
But even in your scenario, how would you for example visit an official 
foreign site to get informations planning for a trip?

Now consider a foreign user, for example from Luxembourg. Will he also 
be asked to disable trust on all foreign CAs? Even from geographically 
close countries such as Belgium or Germany, where he might more often 
move to? Since this user will also go on US based sites, will the US 
based CAs be activated by default?

How do you classify a CA as geography-based? The CAs listed below are 
mostly geography-based, I agree. But I guess you named them based on an 
heuristic, how would you code it into a browser? They are also non CABF 
members, except for Izenpe.com, Chunghwa Telecom, SECOM Trust Systems, 
and TAIWAN CA, which could ease the decision process.

IIRC, "Hellenic Academic and Research Institutions Cert. Authority" was 
asked to generate a new root certificate to be included into Mozilla, 
with a nameConstraints, and they complied. It won't work because a 
constraint in the trust anchor won't be considered when following the 
validation path, but that's the start of a possible solution. Adding 
metadata next to each trust anchor to limit their scope could avoid the 
necessity to disable the trust bits. That's what is done for EV.

Next questions could be something like "is StartCom a geography-based 
CA?". It's not for me, but the fact that it's based in Israel can be 
problematic for some people (that's the first example to come, nothing 
personal). And now we're getting into political problems we wanted to 
avoid with ISO3166 stuff.

Having a better UI to disable trust can help. I also disabled most of 
the roots here, but when I faced errors with some necessary roots (such 
as the two 1024bits ones still included in Mozilla and used widely), I 
had to search on wether these roots are enabled for websites, email, or 
codesigning.

Interesting problem.

-- 
Erwann ABALEA

Le 28/08/2012 20:59, Rick Andrews a écrit :
> Forum,
>
> I know this will be controversial, and I don't expect it to become a work item, but I wanted to throw out an idea for discussion.
>
> CAs have taken a lot of heat for the "weakest link in the chain" failures that we saw last year. But one could argue that browsers are also at fault for creating a system in which all roots are automatically and equally trusted.
>
> Like most US-based users, I never expect or need to trust any certificate issued by foreign, perhaps geography-based CAs like Chunghwa Telecom, CNNIC, Deutsche Telekom, e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi, Generalitat Valenciana, Taiwan GRCA, Hellenic Academic and Research Institutions Cert. Authority, Hong Kong Post, Izenpe.com, NetLock Halozatbiztonsagi Kft., IGC/A, SECOM Trust Systems CO.,LTD., Sociedad Cameral de Certificación Digital, Staat der Nederlanden, Sociedad Cameral de Certificación Digital, Swisscom, TAIWAN-CA, Türkiye Bilimsel ve Teknolojik Araştırma Kurumu, or Unizeto Technologies S.A..
>
> I see value in having the browser alert me (at install time or upgrade time) and say something like: "You appear to be based in the United States. It's recommended that you disable trust for Certificate Authorities that are foreign, if you never expect to visit web sites based in other countries. (Cancel) (Disable Trust)".
>
> This may be challenging for Chrome, which doesn't own the root store, but there's probably a way to make it work.
>
> I realize this may appear chauvinistic, but it can be country-specific at least for the few countries with the largest number of Internet users. Here's some statistics from http://www.internetworldstats.com/top20.htm:
>
> 	TOP 5 COUNTRIES WITH HIGHEST NUMBER OF INTERNET USERS
>
> #	Country or Region	Population, 2011 Est	Internet Users	Penetration (% Population)
> -	-----------------	--------------------	--------------	--------------------------
> 1	China			1,336,718,015			513,100,000		38.4 %
> 2	United States		  313,232,044			245,203,319		10.8 %
> 3	India			1,189,172,906			121,000,000		 5.3 %
> 4	Japan			  126,475,664			101,228,736		 4.4 %
> 5	Brazil			  194,037,075			 81,798,000		 3.6 %
>
> This could also benefit millions of Chinese and Indian people who only visit Chinese or Indian web sites.
>
> I'm sure that it would be difficult to make the UI broadly understandable, but the upside (IMO) would be much more limited impact of a future security breach at one of these smaller geography-based CAs.
>
> As an alternative, I think there's value in providing some easy way to disable trust for all roots. I've done this for all my browsers, and then over time as I encounter each new one I make a conscious decision to trust it or not. I realize that only security geeks like me would do this, but it sure would be nice to make it easier than having to manually turn off the trust bits for all 300+ roots.
>
> I welcome constructive criticism of this idea. Thanks,
>
> -Rick
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>



More information about the Public mailing list