[cabfpub] Localized CAs (was: Food for Thought)

Hill, Brad bhill at paypal-inc.com
Wed Aug 29 21:12:59 UTC 2012 

> From: Chris Palmer [mailto:palmer at google.com]
> Would it as well as or better than name constraints? It seems harder to get
> right than name constraints.

> -----Original Message-----
> From: Phillip [mailto:philliph at comodo.com]
> The real test is whether a control can reduce an acceptably large percentage
> of negative outcomes without an unacceptable rate of false reports.
> 

[Hill, Brad] I'm thinking something like an external set of annotations for root or intermediate CA certificates.  CAs would voluntarily opt-in to setting the regions or language communities in which they do business.  As an external set of annotations, they could choose to change that in a much more lightweight fashion than updating the root cert itself.

How effective it is depends on how many would choose to opt-in.  Would any?  I don't know.  I know of plenty of US businesses who do things like blackhole all IP addresses in China or Russia because they have no customers there, only attackers.

Name constraints are just not going to happen outside of an enterprise context because there is no real mapping between TLDs and customer communities.  Even outside the realm of the gTLDs, look at the wide use of "vanity" ccTLDs like ".ly" or ".tv". 

If 25% of CAs opted-in, that would be perhaps a 99% reduction in their value as a target, and a 25% reduction for everyone outside their customer/RP community in the single-point-of-failure attack surface.  That's pretty good, if you ask me.

If these annotations were of a standard format and user-modifiable, it would also provide an easy platform for supporting additional trust lists, whether provided by your IT department, the EU, or an independent organization like the Tor Project.

Shades of Convergence / Omnibroker, but with defaults opted-in to by the CAs themselves that give some immediate benefit to even non-technical users who won't customize their trust list.

This system could also let us deal with cases where national audit / accreditation schemes and auditors are found to be inadequate: CAs audited by such bodies, rather than to an international standard, might be restricted to only that language community; thus reducing risks to the global Internet without interfering in local sovereignty. 

-Brad

More information about the Public mailing list