[cabfpub] Localized CAs (was: Food for Thought)
Phillip
philliph at comodo.com
Wed Aug 29 16:05:24 UTC 2012
I think we need to look at this from a systems perspective.
The valid criticism of the Web PKI as it stands is that the CAs are paid by the subject but are meant to safeguard the relying party. That is the root cause of 'race to the bottom &ct.' We need something more granular than blacklisting whole CAs. Nobody can blacklist the big 4 CAs and use the Web effectively.
Geographic extent does not seem to help at all to me. Microsoft had their CA knocked over by the US NSA, they also stole the code signing certs. Whether or not you agree that they were serving a national security interest or merely a political expediency, a US government agency attacked US companies. That is a bell that can't be unrung.
It seems to me that the use case driving this is rather stronger than mere certificate 'revocation'. It is really the denunciation of a cert known to be rogue. Conflating the two ends up with all sorts of problems. Google has made a series of proposals that are really 'ignore revocation and just do denunciation'. Which overlooks the fact that revocation is critical to the accountability model.
I think that what we need is a way to allow the user/enterprise to delegate trust decisions to a party of their own choice and make that independent of their browser choice. That has a number of key benefits:
1) It fits in with the existing AV business model so there are providers already performing this service that can add trust services into their mix. Comodo and Kaspersky have already done this. Having a business model is critical to deployment of Internet infrastructure in my view.
2) It allows a user to conform all their browsers and devices to the same trust model. At the moment the security of my machine is set to the weakest of Chrome, IE, Firefox and Safari (I run fusion on a macbook).
3) There is an obvious path to adapting the scheme to the Enterprise, if a machine is an enterprise machine it hooks up to the Enterprise trust service. If it is BYOD then there has to be some sort of policy that ensures that the right trust settings are applied to enterprise network resources.
4) The process is simple enough that Enterprises can conceivably run their own service off publicly available blacklists. Certificate denunciation is a pretty rare event.
On Aug 28, 2012, at 5:27 PM, Rick Andrews wrote:
> Great discussion so far! I just wanted to clarify some points:
> - I didn't intend for this to work for every user in every country. If you just did it for US, India and China, you'd help protect over 50% of all Internet users
> - For anyone outside of those three countries (or if the user declined to change trust status), I propose the status quo (all roots trusted)
>
> -Rick
>
>> -----Original Message-----
>> From: Phillip Hallam-Baker [mailto:hallam at gmail.com]
>> Sent: Tuesday, August 28, 2012 1:00 PM
>> To: Hill, Brad
>> Cc: Rick Andrews; public at cabforum.org
>> Subject: Re: [cabfpub] Localized CAs (was: Food for Thought)
>>
>> I don't see that geographic extent is a particularly useful metric
>> when the big CAs are mostly distributed geographically through
>> affiliate programs.
>>
>> What people might well prefer is a McAfee or a Symantec-AV or a
>> Comodo-AV vetted list of certs.
>>
>>
>> On Tue, Aug 28, 2012 at 3:17 PM, Hill, Brad <bhill at paypal-inc.com> wrote:
>>> I'll also remind the list of my similar suggestion at the Norway meeting
>> that browsers could use an algorithm similar to the anti-spoofing mechanism
>> used today in some places to decide whether to display punycode or native
>> scripts in the URL bar for IDNs: if you have the language pack
>> installed/enabled at the OS level, show the native script, otherwise show
>> punycode.
>>>
>>> In this case, the root store could annotate certain CAs as doing business in
>> a set of language-based locales, and offer an interstitial warning the first
>> time a user visits a site certified by an authority outside of their normal
>> linguistic area. If the user decides, yes, I want to accept certificates
>> issued for the Chinese/Dutch/Spanish/whatever market, then that warning is
>> never shown again for that language group.
>>>
>>> I think a warning that only triggers when the actual condition is met, in-
>> context, will be easier to "sell" to browsers and more usable than an out-of-
>> context, install-time prompt to disable individual CAs. 99.9% of users have
>> no idea what a CA even is, and they don't have the most helpful or meaningful
>> names to most users - especially the ones outside your language.
>>>
>>> The place where this breaks down, of course, is that (nearly) all CAs will
>> want to participate in the .com / "global English" space. You might convince
>> a few CAs that it is in their own best interest to restrict themselves to
>> their actual markets to reduce their value as targets of attack (this would've
>> served DigiNotar well) but I wonder how many businesses would volunteer to be
>> part of such a restriction, or how root store programs would adjudicate
>> imposing and managing such restrictions.
>>>
>>> -Brad
>>>
>>>> -----Original Message-----
>>>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>>> On Behalf Of Rick Andrews
>>>> Sent: Tuesday, August 28, 2012 11:59 AM
>>>> To: public at cabforum.org
>>>> Subject: [cabfpub] Food for Thought
>>>>
>>>> Forum,
>>>>
>>>> I know this will be controversial, and I don't expect it to become a work
>> item,
>>>> but I wanted to throw out an idea for discussion.
>>>>
>>>> CAs have taken a lot of heat for the "weakest link in the chain" failures
>> that
>>>> we saw last year. But one could argue that browsers are also at fault for
>>>> creating a system in which all roots are automatically and equally trusted.
>>>>
>>>> Like most US-based users, I never expect or need to trust any certificate
>>>> issued by foreign, perhaps geography-based CAs like Chunghwa Telecom,
>>>> CNNIC, Deutsche Telekom, e-Guven Kok Elektronik Sertifika Hizmet
>> Saglayicisi,
>>>> Generalitat Valenciana, Taiwan GRCA, Hellenic Academic and Research
>>>> Institutions Cert. Authority, Hong Kong Post, Izenpe.com, NetLock
>>>> Halozatbiztonsagi Kft., IGC/A, SECOM Trust Systems CO.,LTD., Sociedad
>>>> Cameral de Certificación Digital, Staat der Nederlanden, Sociedad Cameral
>> de
>>>> Certificación Digital, Swisscom, TAIWAN-CA, Türkiye Bilimsel ve Teknolojik
>>>> Araştırma Kurumu, or Unizeto Technologies S.A..
>>>>
>>>> I see value in having the browser alert me (at install time or upgrade
>> time)
>>>> and say something like: "You appear to be based in the United States. It's
>>>> recommended that you disable trust for Certificate Authorities that are
>>>> foreign, if you never expect to visit web sites based in other countries.
>>>> (Cancel) (Disable Trust)".
>>>>
>>>> This may be challenging for Chrome, which doesn't own the root store, but
>>>> there's probably a way to make it work.
>>>>
>>>> I realize this may appear chauvinistic, but it can be country-specific at
>> least for
>>>> the few countries with the largest number of Internet users. Here's some
>>>> statistics from http://www.internetworldstats.com/top20.htm:
>>>>
>>>> TOP 5 COUNTRIES WITH HIGHEST NUMBER OF INTERNET USERS
>>>>
>>>> # Country or Region Population, 2011 Est Internet Users
>>>> Penetration (% Population)
>>>> - ----------------- -------------------- -------------- -----
>> ---------------------
>>>> 1 China 1,336,718,015 513,100,000
>>>> 38.4 %
>>>> 2 United States 313,232,044 245,203,319
>>>> 10.8 %
>>>> 3 India 1,189,172,906 121,000,000
>>>> 5.3 %
>>>> 4 Japan 126,475,664 101,228,736
>>>> 4.4 %
>>>> 5 Brazil 194,037,075 81,798,000
>>>> 3.6 %
>>>>
>>>> This could also benefit millions of Chinese and Indian people who only
>> visit
>>>> Chinese or Indian web sites.
>>>>
>>>> I'm sure that it would be difficult to make the UI broadly understandable,
>> but
>>>> the upside (IMO) would be much more limited impact of a future security
>>>> breach at one of these smaller geography-based CAs.
>>>>
>>>> As an alternative, I think there's value in providing some easy way to
>> disable
>>>> trust for all roots. I've done this for all my browsers, and then over time
>> as I
>>>> encounter each new one I make a conscious decision to trust it or not. I
>>>> realize that only security geeks like me would do this, but it sure would
>> be
>>>> nice to make it easier than having to manually turn off the trust bits for
>> all
>>>> 300+ roots.
>>>>
>>>> I welcome constructive criticism of this idea. Thanks,
>>>>
>>>> -Rick
>>>> _______________________________________________
>>>> Public mailing list
>>>> Public at cabforum.org
>>>> https://cabforum.org/mailman/listinfo/public
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>>
>>
>>
>> --
>> Website: http://hallambaker.com/
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list