[cabfpub] Food for Thought
Stephen Davidson
S.Davidson at quovadisglobal.com
Tue Aug 28 20:20:18 UTC 2012
Hi Rick:
In no particular order:
1. The reciprocal side is that some countries might want to block US based CAs.
2. Or would a small set of CAs be deemed "global"? How could that be impartially determined? How would that accommodate new entrants to the SSL market?
3. Many of the CAs you mention are relevant outside the boundaries of their own country - so the setting would need to be broadly regional at best. For example, the EU is trying to encourage cross border use of CAs.
4. Trust may even gravitate away from browser root stores to things like the EU TSLs, signed XML feeds which include only CAs and cert classes that are under Government regulation/supervision.
Best, Stephen
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Tuesday, August 28, 2012 3:59 PM
To: public at cabforum.org
Subject: [cabfpub] Food for Thought
Forum,
I know this will be controversial, and I don't expect it to become a work item, but I wanted to throw out an idea for discussion.
CAs have taken a lot of heat for the "weakest link in the chain" failures that we saw last year. But one could argue that browsers are also at fault for creating a system in which all roots are automatically and equally trusted.
Like most US-based users, I never expect or need to trust any certificate issued by foreign, perhaps geography-based CAs like Chunghwa Telecom, CNNIC, Deutsche Telekom, e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi, Generalitat Valenciana, Taiwan GRCA, Hellenic Academic and Research Institutions Cert. Authority, Hong Kong Post, Izenpe.com, NetLock Halozatbiztonsagi Kft., IGC/A, SECOM Trust Systems CO.,LTD., Sociedad Cameral de Certificación Digital, Staat der Nederlanden, Sociedad Cameral de Certificación Digital, Swisscom, TAIWAN-CA, Türkiye Bilimsel ve Teknolojik Araştırma Kurumu, or Unizeto Technologies S.A..
I see value in having the browser alert me (at install time or upgrade time) and say something like: "You appear to be based in the United States. It's recommended that you disable trust for Certificate Authorities that are foreign, if you never expect to visit web sites based in other countries. (Cancel) (Disable Trust)".
This may be challenging for Chrome, which doesn't own the root store, but there's probably a way to make it work.
I realize this may appear chauvinistic, but it can be country-specific at least for the few countries with the largest number of Internet users. Here's some statistics from http://www.internetworldstats.com/top20.htm:
TOP 5 COUNTRIES WITH HIGHEST NUMBER OF INTERNET USERS
# Country or Region Population, 2011 Est Internet Users Penetration (% Population)
- ----------------- -------------------- -------------- --------------------------
1 China 1,336,718,015 513,100,000 38.4 %
2 United States 313,232,044 245,203,319 10.8 %
3 India 1,189,172,906 121,000,000 5.3 %
4 Japan 126,475,664 101,228,736 4.4 %
5 Brazil 194,037,075 81,798,000 3.6 %
This could also benefit millions of Chinese and Indian people who only visit Chinese or Indian web sites.
I'm sure that it would be difficult to make the UI broadly understandable, but the upside (IMO) would be much more limited impact of a future security breach at one of these smaller geography-based CAs.
As an alternative, I think there's value in providing some easy way to disable trust for all roots. I've done this for all my browsers, and then over time as I encounter each new one I make a conscious decision to trust it or not. I realize that only security geeks like me would do this, but it sure would be nice to make it easier than having to manually turn off the trust bits for all 300+ roots.
I welcome constructive criticism of this idea. Thanks,
-Rick
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list