[cabfpub] Food for Thought

Rick Andrews Rick_Andrews at symantec.com
Tue Aug 28 18:59:00 UTC 2012


Forum,

I know this will be controversial, and I don't expect it to become a work item, but I wanted to throw out an idea for discussion.

CAs have taken a lot of heat for the "weakest link in the chain" failures that we saw last year. But one could argue that browsers are also at fault for creating a system in which all roots are automatically and equally trusted.

Like most US-based users, I never expect or need to trust any certificate issued by foreign, perhaps geography-based CAs like Chunghwa Telecom, CNNIC, Deutsche Telekom, e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi, Generalitat Valenciana, Taiwan GRCA, Hellenic Academic and Research Institutions Cert. Authority, Hong Kong Post, Izenpe.com, NetLock Halozatbiztonsagi Kft., IGC/A, SECOM Trust Systems CO.,LTD., Sociedad Cameral de Certificación Digital, Staat der Nederlanden, Sociedad Cameral de Certificación Digital, Swisscom, TAIWAN-CA, Türkiye Bilimsel ve Teknolojik Araştırma Kurumu, or Unizeto Technologies S.A..

I see value in having the browser alert me (at install time or upgrade time) and say something like: "You appear to be based in the United States. It's recommended that you disable trust for Certificate Authorities that are foreign, if you never expect to visit web sites based in other countries. (Cancel) (Disable Trust)".

This may be challenging for Chrome, which doesn't own the root store, but there's probably a way to make it work.

I realize this may appear chauvinistic, but it can be country-specific at least for the few countries with the largest number of Internet users. Here's some statistics from http://www.internetworldstats.com/top20.htm:

	TOP 5 COUNTRIES WITH HIGHEST NUMBER OF INTERNET USERS

#	Country or Region	Population, 2011 Est	Internet Users	Penetration (% Population)
-	-----------------	--------------------	--------------	--------------------------
1	China			1,336,718,015			513,100,000		38.4 %
2	United States		  313,232,044			245,203,319		10.8 %
3	India			1,189,172,906			121,000,000		 5.3 %
4	Japan			  126,475,664			101,228,736		 4.4 %
5	Brazil			  194,037,075			 81,798,000		 3.6 %

This could also benefit millions of Chinese and Indian people who only visit Chinese or Indian web sites.

I'm sure that it would be difficult to make the UI broadly understandable, but the upside (IMO) would be much more limited impact of a future security breach at one of these smaller geography-based CAs.

As an alternative, I think there's value in providing some easy way to disable trust for all roots. I've done this for all my browsers, and then over time as I encounter each new one I make a conscious decision to trust it or not. I realize that only security geeks like me would do this, but it sure would be nice to make it easier than having to manually turn off the trust bits for all 300+ roots.

I welcome constructive criticism of this idea. Thanks,

-Rick



More information about the Public mailing list