[cabfpub] Localized CAs (was: Food for Thought)

Rick Andrews Rick_Andrews at symantec.com
Tue Aug 28 21:27:16 UTC 2012


Great discussion so far! I just wanted to clarify some points:
  - I didn't intend for this to work for every user in every country. If you just did it for US, India and China, you'd help protect over 50% of all Internet users
  - For anyone outside of those three countries (or if the user declined to change trust status), I propose the status quo (all roots trusted)

-Rick

> -----Original Message-----
> From: Phillip Hallam-Baker [mailto:hallam at gmail.com]
> Sent: Tuesday, August 28, 2012 1:00 PM
> To: Hill, Brad
> Cc: Rick Andrews; public at cabforum.org
> Subject: Re: [cabfpub] Localized CAs (was: Food for Thought)
> 
> I don't see that geographic extent is a particularly useful metric
> when the big CAs are mostly distributed geographically through
> affiliate programs.
> 
> What people might well prefer is a McAfee or a Symantec-AV or a
> Comodo-AV vetted list of certs.
> 
> 
> On Tue, Aug 28, 2012 at 3:17 PM, Hill, Brad <bhill at paypal-inc.com> wrote:
> > I'll also remind the list of my similar suggestion at the Norway meeting
> that browsers could use an algorithm similar to the anti-spoofing mechanism
> used today in some places to decide whether to display punycode or native
> scripts in the URL bar for IDNs: if you have the language pack
> installed/enabled at the OS level, show the native script, otherwise show
> punycode.
> >
> > In this case, the root store could annotate certain CAs as doing business in
> a set of language-based locales, and offer an interstitial warning the first
> time a user visits a site certified by an authority outside of their normal
> linguistic area. If the user decides, yes, I want to accept certificates
> issued for the Chinese/Dutch/Spanish/whatever market, then that warning is
> never shown again for that language group.
> >
> > I think a warning that only triggers when the actual condition is met, in-
> context, will be easier to "sell" to browsers and more usable than an out-of-
> context, install-time prompt to disable individual CAs.  99.9% of users have
> no idea what a CA even is, and they don't have the most helpful or meaningful
> names to most users - especially the ones outside your language.
> >
> > The place where this breaks down, of course, is that (nearly) all CAs will
> want to participate in the .com / "global English" space.  You might convince
> a few CAs that it is in their own best interest to restrict themselves to
> their actual markets to reduce their value as targets of attack (this would've
> served DigiNotar well) but I wonder how many businesses would volunteer to be
> part of such a restriction, or how root store programs would adjudicate
> imposing and managing such restrictions.
> >
> > -Brad
> >
> >> -----Original Message-----
> >> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> >> On Behalf Of Rick Andrews
> >> Sent: Tuesday, August 28, 2012 11:59 AM
> >> To: public at cabforum.org
> >> Subject: [cabfpub] Food for Thought
> >>
> >> Forum,
> >>
> >> I know this will be controversial, and I don't expect it to become a work
> item,
> >> but I wanted to throw out an idea for discussion.
> >>
> >> CAs have taken a lot of heat for the "weakest link in the chain" failures
> that
> >> we saw last year. But one could argue that browsers are also at fault for
> >> creating a system in which all roots are automatically and equally trusted.
> >>
> >> Like most US-based users, I never expect or need to trust any certificate
> >> issued by foreign, perhaps geography-based CAs like Chunghwa Telecom,
> >> CNNIC, Deutsche Telekom, e-Guven Kok Elektronik Sertifika Hizmet
> Saglayicisi,
> >> Generalitat Valenciana, Taiwan GRCA, Hellenic Academic and Research
> >> Institutions Cert. Authority, Hong Kong Post, Izenpe.com, NetLock
> >> Halozatbiztonsagi Kft., IGC/A, SECOM Trust Systems CO.,LTD., Sociedad
> >> Cameral de Certificación Digital, Staat der Nederlanden, Sociedad Cameral
> de
> >> Certificación Digital, Swisscom, TAIWAN-CA, Türkiye Bilimsel ve Teknolojik
> >> Araştırma Kurumu, or Unizeto Technologies S.A..
> >>
> >> I see value in having the browser alert me (at install time or upgrade
> time)
> >> and say something like: "You appear to be based in the United States. It's
> >> recommended that you disable trust for Certificate Authorities that are
> >> foreign, if you never expect to visit web sites based in other countries.
> >> (Cancel) (Disable Trust)".
> >>
> >> This may be challenging for Chrome, which doesn't own the root store, but
> >> there's probably a way to make it work.
> >>
> >> I realize this may appear chauvinistic, but it can be country-specific at
> least for
> >> the few countries with the largest number of Internet users. Here's some
> >> statistics from http://www.internetworldstats.com/top20.htm:
> >>
> >>       TOP 5 COUNTRIES WITH HIGHEST NUMBER OF INTERNET USERS
> >>
> >> #     Country or Region       Population, 2011 Est    Internet Users
> >>       Penetration (% Population)
> >> -     -----------------       --------------------    --------------  -----
> ---------------------
> >> 1     China                   1,336,718,015                   513,100,000
> >>               38.4 %
> >> 2     United States             313,232,044                   245,203,319
> >>               10.8 %
> >> 3     India                   1,189,172,906                   121,000,000
> >>                5.3 %
> >> 4     Japan                     126,475,664                   101,228,736
> >>                4.4 %
> >> 5     Brazil                    194,037,075                    81,798,000
> >>                3.6 %
> >>
> >> This could also benefit millions of Chinese and Indian people who only
> visit
> >> Chinese or Indian web sites.
> >>
> >> I'm sure that it would be difficult to make the UI broadly understandable,
> but
> >> the upside (IMO) would be much more limited impact of a future security
> >> breach at one of these smaller geography-based CAs.
> >>
> >> As an alternative, I think there's value in providing some easy way to
> disable
> >> trust for all roots. I've done this for all my browsers, and then over time
> as I
> >> encounter each new one I make a conscious decision to trust it or not. I
> >> realize that only security geeks like me would do this, but it sure would
> be
> >> nice to make it easier than having to manually turn off the trust bits for
> all
> >> 300+ roots.
> >>
> >> I welcome constructive criticism of this idea. Thanks,
> >>
> >> -Rick
> >> _______________________________________________
> >> Public mailing list
> >> Public at cabforum.org
> >> https://cabforum.org/mailman/listinfo/public
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> 
> 
> 
> --
> Website: http://hallambaker.com/


More information about the Public mailing list