[cabfpub] Localized CAs (was: Food for Thought)

Brian Trzupek BTrzupek at trustwave.com
Thu Aug 30 13:59:23 MST 2012


This all reminds me of CA pinning (ala chrome) - wouldn't that solution be more desirable for the interested parties?

Sent from my iPhone

On Aug 30, 2012, at 3:52 PM, "Phillip" <philliph at comodo.com> wrote:

> So Facebook still has to declare some sort of scope and this is an audit control rather than an access control?
>
> How does this provide any more leverage than the EFF observatory, (say) pulling the CAA records once a week for all domains with known certs and sounding an audit alarm if anything amiss is seen?
>
>
> The Web is either a post-national construct, a multi-national construct or both. Early on there were large spaces where no government claimed jurisdiction, now the default is that multiple governments might claim jurisdiction. Building infrastructure that assumes a one-to-one mapping seems obsolete to me in either case.
>
> Trying to distinguish between UK and US Internet companies at a technical makes about as much sense as trying to distinguish Californian companies from Delaware, yes there are legal differences that occasionally matter to courts but most of the time the difference only matters to lawyers and tax collectors.
>
>
> On Aug 30, 2012, at 4:17 PM, Hill, Brad wrote:
>
>> Facebook would get its cert, presumably, from a CA with a "Global" scope of business.
>>
>> Iranian users would have their browsers configured, presumably, for Global and Persian language / region.
>>
>> Theoretically, if Iran replaced Facebook's certificate with one issued by a CA that declared itself to only issue for the Dutch market, Iranian users would've gotten a warning that "This site has been identified by an authority doing business in the Dutch language community.  You have not previously visited sites identified by authorities in this community.  Do you want to continue and trust sites in this region?"
>>
>> Hopefully that would've raised enough eyebrows to trigger follow-up.
>>
>> Iran could've used that cert to attack Dutch users, but they weren't interested in that.
>>
>> Not sure what you mean about export controls.
>>
>>> -----Original Message-----
>>> From: Phillip [mailto:philliph at comodo.com]
>>> Sent: Thursday, August 30, 2012 11:46 AM
>>> To: Hill, Brad
>>> Cc: Brian Trzupek; Rick Andrews; public at cabforum.org
>>> Subject: Re: [cabfpub] Localized CAs (was: Food for Thought)
>>>
>>> But Iran attacked Facebook, not a company inside Iran
>>>
>>> And I can't quite see why an attacker would draw attention to themselves by
>>> triggering an export embargo violation control.
>>>
>>>
>>>
>>> On Aug 30, 2012, at 12:21 PM, Hill, Brad wrote:
>>>
>>>> If that's common for your customers, you wouldn't opt-in to declaring your
>>> CA as only serving a limited market.
>>>>
>>>> I think the most obvious use case would be government-associated CAs (of
>>> which there are already many) that only issue for businesses, citizens or other
>>> governmental entities within their own jurisdictions and want to reduce their
>>> attractiveness to attackers.   Though a few commercial CAs might choose to
>>> do so, certainly none of the major players today would.
>>>>
>>>> If there is no interest, it isn't worth pursuing.  But as Ryan Hurst has pointed
>>> out, http://unmitigatedrisk.com/?p=181, there are already 46 government
>>> owned and operated root certificates in the Windows trust store, operated by
>>> 33 different agencies in 26 countries.  That's a pretty big number.  Almost
>>> certainly we will have more in the future.
>>>>
>>>> Maybe for commercial CAs a more interesting capability would be to be able
>>> to declare markets you do *not* do business in: Iran, China, etc.
>>>>
>>>>> -----Original Message-----
>>>>> From: Brian Trzupek [mailto:BTrzupek at trustwave.com]
>>>>> Sent: Thursday, August 30, 2012 8:07 AM
>>>>> To: Hill, Brad
>>>>> Cc: Phillip; Rick Andrews; public at cabforum.org
>>>>> Subject: Re: [cabfpub] Localized CAs (was: Food for Thought)
>>>>>
>>>>> So, a pretty common use case for us is a customer buys a SAN
>>>>> certificate and adds several ccTLDs/gTLDs for their company like so:
>>>>>
>>>>> www.company.com
>>>>> company.com
>>>>> www.company.co.uk
>>>>> www.company.de
>>>>> www.company.es
>>>>> www.company.hk
>>>>> www.company.net
>>>>> etc..
>>>>>
>>>>> How would this jive with what you are proposing such that we could
>>>>> continue to serve customers in this manner?
>>>>>
>>>>> Thanks,
>>>>> Brian
>>>>>
>>>>> On Aug 29, 2012, at 4:12 PM, "Hill, Brad" <bhill at paypal-inc.com> wrote:
>>>>>
>>>>>>> From: Chris Palmer [mailto:palmer at google.com] Would it as well as
>>>>>>> or better than name constraints? It seems harder to get right than
>>>>>>> name constraints.
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Phillip [mailto:philliph at comodo.com] The real test is whether
>>>>>>> a control can reduce an acceptably large percentage of negative
>>>>>>> outcomes without an unacceptable rate of false reports.
>>>>>>>
>>>>>>
>>>>>> [Hill, Brad] I'm thinking something like an external set of
>>>>>> annotations for
>>>>> root or intermediate CA certificates.  CAs would voluntarily opt-in
>>>>> to setting the regions or language communities in which they do
>>>>> business.  As an external set of annotations, they could choose to
>>>>> change that in a much more lightweight fashion than updating the root
>>> cert itself.
>>>>>>
>>>>>> How effective it is depends on how many would choose to opt-in.
>>>>>> Would
>>>>> any?  I don't know.  I know of plenty of US businesses who do things
>>>>> like blackhole all IP addresses in China or Russia because they have
>>>>> no customers there, only attackers.
>>>>>>
>>>>>> Name constraints are just not going to happen outside of an
>>>>>> enterprise
>>>>> context because there is no real mapping between TLDs and customer
>>>>> communities.  Even outside the realm of the gTLDs, look at the wide
>>>>> use of "vanity" ccTLDs like ".ly" or ".tv".
>>>>>>
>>>>>> If 25% of CAs opted-in, that would be perhaps a 99% reduction in
>>>>>> their
>>>>> value as a target, and a 25% reduction for everyone outside their
>>>>> customer/RP community in the single-point-of-failure attack surface.
>>>>> That's pretty good, if you ask me.
>>>>>>
>>>>>> If these annotations were of a standard format and user-modifiable,
>>>>>> it
>>>>> would also provide an easy platform for supporting additional trust
>>>>> lists, whether provided by your IT department, the EU, or an
>>>>> independent organization like the Tor Project.
>>>>>>
>>>>>> Shades of Convergence / Omnibroker, but with defaults opted-in to by
>>>>>> the
>>>>> CAs themselves that give some immediate benefit to even non-technical
>>>>> users who won't customize their trust list.
>>>>>>
>>>>>> This system could also let us deal with cases where national audit /
>>>>> accreditation schemes and auditors are found to be inadequate: CAs
>>>>> audited by such bodies, rather than to an international standard,
>>>>> might be restricted to only that language community; thus reducing
>>>>> risks to the global Internet without interfering in local sovereignty.
>>>>>>
>>>>>> -Brad
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Public mailing list
>>>>>> Public at cabforum.org
>>>>>> https://cabforum.org/mailman/listinfo/public
>>>>>>
>>>>>
>>>>>
>>>>> This transmission may contain information that is privileged,
>>>>> confidential, and/or exempt from disclosure under applicable law. If
>>>>> you are not the intended recipient, you are hereby notified that any
>>>>> disclosure, copying, distribution, or use of the information
>>>>> contained herein (including any reliance thereon) is STRICTLY
>>>>> PROHIBITED. If you received this transmission in error, please
>>>>> immediately contact the sender and destroy the material in its entirety,
>>> whether in electronic or hard copy format.
>>>>
>>
>
>

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.



More information about the Public mailing list