[cabfpub] Localized CAs (was: Food for Thought)

Hill, Brad bhill at paypal-inc.com
Wed Aug 29 16:23:35 UTC 2012


I disagree that it is just about certificate denunciation.  It is about reducing the value to the attacker of compromising a small, regional CA.  Right now the value to an attacker of compromising *any* CA is absolutely enormous, and consequently they are willing to expend enormous resources to do so - much more than especially a small CA can spend to defend itself.

Soft geographical/language zoning would allow a CA that only has ambitions to participate in a localized market to still have a no or extremely low friction experience for users in that market while greatly reducing the value of compromising that CA to adversaries outside that market.  DigiNotar only served the Dutch market.  There would've been little value to Iran in compromising it so it could target Persian speakers if such a mechanism were in place, even for a small percentage of browsers - as they could sound the alarm.

It's not perfect, it doesn't cover many possible scenarios, and many CAs would opt-out.

But it is potentially a very cheap and simple way to reduce the risk to the larger ecosystem (and to the CAs themselves - hopefully they would see the value of opting-in) of the growing number of smaller CAs that are globally trusted but only serve a limited market.

-Brad

> -----Original Message-----
> From: Phillip [mailto:philliph at comodo.com]
> Sent: Wednesday, August 29, 2012 9:05 AM
> To: Rick Andrews
> Cc: Phillip Hallam-Baker; Hill, Brad; public at cabforum.org
> Subject: Re: [cabfpub] Localized CAs (was: Food for Thought)
> 
> I think we need to look at this from a systems perspective.
> 
> The valid criticism of the Web PKI as it stands is that the CAs are paid by the
> subject but are meant to safeguard the relying party. That is the root cause of
> 'race to the bottom &ct.' We need something more granular than blacklisting
> whole CAs. Nobody can blacklist the big 4 CAs and use the Web effectively.
> 
> Geographic extent does not seem to help at all to me. Microsoft had their CA
> knocked over by the US NSA, they also stole the code signing certs. Whether
> or not you agree that they were serving a national security interest or merely
> a political expediency, a US government agency attacked US companies. That
> is a bell that can't be unrung.
> 
> It seems to me that the use case driving this is rather stronger than mere
> certificate 'revocation'. It is really the denunciation of a cert known to be
> rogue. Conflating the two ends up with all sorts of problems. Google has
> made a series of proposals that are really 'ignore revocation and just do
> denunciation'. Which overlooks the fact that revocation is critical to the
> accountability model.
> 
> 
> I think that what we need is a way to allow the user/enterprise to delegate
> trust decisions to a party of their own choice and make that independent of
> their browser choice. That has a number of key benefits:
> 
> 1) It fits in with the existing AV business model so there are providers already
> performing this service that can add trust services into their mix. Comodo and
> Kaspersky have already done this. Having a business model is critical to
> deployment of Internet infrastructure in my view.
> 
> 2) It allows a user to conform all their browsers and devices to the same trust
> model. At the moment the security of my machine is set to the weakest of
> Chrome, IE, Firefox and Safari (I run fusion on a macbook).
> 
> 3) There is an obvious path to adapting the scheme to the Enterprise, if a
> machine is an enterprise machine it hooks up to the Enterprise trust service. If
> it is BYOD then there has to be some sort of policy that ensures that the right
> trust settings are applied to enterprise network resources.
> 
> 4) The process is simple enough that Enterprises can conceivably run their
> own service off publicly available blacklists. Certificate denunciation is a
> pretty rare event.
> 
> 
> 
> 
> 
> On Aug 28, 2012, at 5:27 PM, Rick Andrews wrote:
> 
> > Great discussion so far! I just wanted to clarify some points:
> >  - I didn't intend for this to work for every user in every country.
> > If you just did it for US, India and China, you'd help protect over
> > 50% of all Internet users
> >  - For anyone outside of those three countries (or if the user
> > declined to change trust status), I propose the status quo (all roots
> > trusted)
> >
> > -Rick
> >
> >> -----Original Message-----
> >> From: Phillip Hallam-Baker [mailto:hallam at gmail.com]
> >> Sent: Tuesday, August 28, 2012 1:00 PM
> >> To: Hill, Brad
> >> Cc: Rick Andrews; public at cabforum.org
> >> Subject: Re: [cabfpub] Localized CAs (was: Food for Thought)
> >>
> >> I don't see that geographic extent is a particularly useful metric
> >> when the big CAs are mostly distributed geographically through
> >> affiliate programs.
> >>
> >> What people might well prefer is a McAfee or a Symantec-AV or a
> >> Comodo-AV vetted list of certs.
> >>
> >>
> >> On Tue, Aug 28, 2012 at 3:17 PM, Hill, Brad <bhill at paypal-inc.com> wrote:
> >>> I'll also remind the list of my similar suggestion at the Norway
> >>> meeting
> >> that browsers could use an algorithm similar to the anti-spoofing
> >> mechanism used today in some places to decide whether to display
> >> punycode or native scripts in the URL bar for IDNs: if you have the
> >> language pack installed/enabled at the OS level, show the native
> >> script, otherwise show punycode.
> >>>
> >>> In this case, the root store could annotate certain CAs as doing
> >>> business in
> >> a set of language-based locales, and offer an interstitial warning
> >> the first time a user visits a site certified by an authority outside
> >> of their normal linguistic area. If the user decides, yes, I want to
> >> accept certificates issued for the Chinese/Dutch/Spanish/whatever
> >> market, then that warning is never shown again for that language group.
> >>>
> >>> I think a warning that only triggers when the actual condition is
> >>> met, in-
> >> context, will be easier to "sell" to browsers and more usable than an
> >> out-of- context, install-time prompt to disable individual CAs.
> >> 99.9% of users have no idea what a CA even is, and they don't have
> >> the most helpful or meaningful names to most users - especially the ones
> outside your language.
> >>>
> >>> The place where this breaks down, of course, is that (nearly) all
> >>> CAs will
> >> want to participate in the .com / "global English" space.  You might
> >> convince a few CAs that it is in their own best interest to restrict
> >> themselves to their actual markets to reduce their value as targets
> >> of attack (this would've served DigiNotar well) but I wonder how many
> >> businesses would volunteer to be part of such a restriction, or how
> >> root store programs would adjudicate imposing and managing such
> restrictions.
> >>>
> >>> -Brad
> >>>
> >>>> -----Original Message-----
> >>>> From: public-bounces at cabforum.org
> >>>> [mailto:public-bounces at cabforum.org]
> >>>> On Behalf Of Rick Andrews
> >>>> Sent: Tuesday, August 28, 2012 11:59 AM
> >>>> To: public at cabforum.org
> >>>> Subject: [cabfpub] Food for Thought
> >>>>
> >>>> Forum,
> >>>>
> >>>> I know this will be controversial, and I don't expect it to become
> >>>> a work
> >> item,
> >>>> but I wanted to throw out an idea for discussion.
> >>>>
> >>>> CAs have taken a lot of heat for the "weakest link in the chain"
> >>>> failures
> >> that
> >>>> we saw last year. But one could argue that browsers are also at
> >>>> fault for creating a system in which all roots are automatically and
> equally trusted.
> >>>>
> >>>> Like most US-based users, I never expect or need to trust any
> >>>> certificate issued by foreign, perhaps geography-based CAs like
> >>>> Chunghwa Telecom, CNNIC, Deutsche Telekom, e-Guven Kok Elektronik
> >>>> Sertifika Hizmet
> >> Saglayicisi,
> >>>> Generalitat Valenciana, Taiwan GRCA, Hellenic Academic and Research
> >>>> Institutions Cert. Authority, Hong Kong Post, Izenpe.com, NetLock
> >>>> Halozatbiztonsagi Kft., IGC/A, SECOM Trust Systems CO.,LTD.,
> >>>> Sociedad Cameral de Certificación Digital, Staat der Nederlanden,
> >>>> Sociedad Cameral
> >> de
> >>>> Certificación Digital, Swisscom, TAIWAN-CA, Türkiye Bilimsel ve
> >>>> Teknolojik Araştırma Kurumu, or Unizeto Technologies S.A..
> >>>>
> >>>> I see value in having the browser alert me (at install time or
> >>>> upgrade
> >> time)
> >>>> and say something like: "You appear to be based in the United
> >>>> States. It's recommended that you disable trust for Certificate
> >>>> Authorities that are foreign, if you never expect to visit web sites based
> in other countries.
> >>>> (Cancel) (Disable Trust)".
> >>>>
> >>>> This may be challenging for Chrome, which doesn't own the root
> >>>> store, but there's probably a way to make it work.
> >>>>
> >>>> I realize this may appear chauvinistic, but it can be
> >>>> country-specific at
> >> least for
> >>>> the few countries with the largest number of Internet users. Here's
> >>>> some statistics from http://www.internetworldstats.com/top20.htm:
> >>>>
> >>>>      TOP 5 COUNTRIES WITH HIGHEST NUMBER OF INTERNET USERS
> >>>>
> >>>> #     Country or Region       Population, 2011 Est    Internet Users
> >>>>      Penetration (% Population)
> >>>> -     -----------------       --------------------    --------------  -----
> >> ---------------------
> >>>> 1     China                   1,336,718,015                   513,100,000
> >>>>              38.4 %
> >>>> 2     United States             313,232,044                   245,203,319
> >>>>              10.8 %
> >>>> 3     India                   1,189,172,906                   121,000,000
> >>>>               5.3 %
> >>>> 4     Japan                     126,475,664                   101,228,736
> >>>>               4.4 %
> >>>> 5     Brazil                    194,037,075                    81,798,000
> >>>>               3.6 %
> >>>>
> >>>> This could also benefit millions of Chinese and Indian people who
> >>>> only
> >> visit
> >>>> Chinese or Indian web sites.
> >>>>
> >>>> I'm sure that it would be difficult to make the UI broadly
> >>>> understandable,
> >> but
> >>>> the upside (IMO) would be much more limited impact of a future
> >>>> security breach at one of these smaller geography-based CAs.
> >>>>
> >>>> As an alternative, I think there's value in providing some easy way
> >>>> to
> >> disable
> >>>> trust for all roots. I've done this for all my browsers, and then
> >>>> over time
> >> as I
> >>>> encounter each new one I make a conscious decision to trust it or
> >>>> not. I realize that only security geeks like me would do this, but
> >>>> it sure would
> >> be
> >>>> nice to make it easier than having to manually turn off the trust
> >>>> bits for
> >> all
> >>>> 300+ roots.
> >>>>
> >>>> I welcome constructive criticism of this idea. Thanks,
> >>>>
> >>>> -Rick
> >>>> _______________________________________________
> >>>> Public mailing list
> >>>> Public at cabforum.org
> >>>> https://cabforum.org/mailman/listinfo/public
> >>> _______________________________________________
> >>> Public mailing list
> >>> Public at cabforum.org
> >>> https://cabforum.org/mailman/listinfo/public
> >>
> >>
> >>
> >> --
> >> Website: http://hallambaker.com/
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list