[cabfpub] Localized CAs (was: Food for Thought)

Phillip philliph at comodo.com
Thu Aug 30 18:45:44 UTC 2012


But Iran attacked Facebook, not a company inside Iran

And I can't quite see why an attacker would draw attention to themselves by triggering an export embargo violation control.



On Aug 30, 2012, at 12:21 PM, Hill, Brad wrote:

> If that's common for your customers, you wouldn't opt-in to declaring your CA as only serving a limited market.  
> 
> I think the most obvious use case would be government-associated CAs (of which there are already many) that only issue for businesses, citizens or other governmental entities within their own jurisdictions and want to reduce their attractiveness to attackers.   Though a few commercial CAs might choose to do so, certainly none of the major players today would.
> 
> If there is no interest, it isn't worth pursuing.  But as Ryan Hurst has pointed out, http://unmitigatedrisk.com/?p=181, there are already 46 government owned and operated root certificates in the Windows trust store, operated by 33 different agencies in 26 countries.  That's a pretty big number.  Almost certainly we will have more in the future.  
> 
> Maybe for commercial CAs a more interesting capability would be to be able to declare markets you do *not* do business in: Iran, China, etc.
> 
>> -----Original Message-----
>> From: Brian Trzupek [mailto:BTrzupek at trustwave.com]
>> Sent: Thursday, August 30, 2012 8:07 AM
>> To: Hill, Brad
>> Cc: Phillip; Rick Andrews; public at cabforum.org
>> Subject: Re: [cabfpub] Localized CAs (was: Food for Thought)
>> 
>> So, a pretty common use case for us is a customer buys a SAN certificate and
>> adds several ccTLDs/gTLDs for their company like so:
>> 
>> www.company.com
>> company.com
>> www.company.co.uk
>> www.company.de
>> www.company.es
>> www.company.hk
>> www.company.net
>> etc..
>> 
>> How would this jive with what you are proposing such that we could continue
>> to serve customers in this manner?
>> 
>> Thanks,
>> Brian
>> 
>> On Aug 29, 2012, at 4:12 PM, "Hill, Brad" <bhill at paypal-inc.com> wrote:
>> 
>>>> From: Chris Palmer [mailto:palmer at google.com] Would it as well as or
>>>> better than name constraints? It seems harder to get right than name
>>>> constraints.
>>> 
>>>> -----Original Message-----
>>>> From: Phillip [mailto:philliph at comodo.com] The real test is whether a
>>>> control can reduce an acceptably large percentage of negative
>>>> outcomes without an unacceptable rate of false reports.
>>>> 
>>> 
>>> [Hill, Brad] I'm thinking something like an external set of annotations for
>> root or intermediate CA certificates.  CAs would voluntarily opt-in to setting
>> the regions or language communities in which they do business.  As an
>> external set of annotations, they could choose to change that in a much more
>> lightweight fashion than updating the root cert itself.
>>> 
>>> How effective it is depends on how many would choose to opt-in.  Would
>> any?  I don't know.  I know of plenty of US businesses who do things like
>> blackhole all IP addresses in China or Russia because they have no customers
>> there, only attackers.
>>> 
>>> Name constraints are just not going to happen outside of an enterprise
>> context because there is no real mapping between TLDs and customer
>> communities.  Even outside the realm of the gTLDs, look at the wide use of
>> "vanity" ccTLDs like ".ly" or ".tv".
>>> 
>>> If 25% of CAs opted-in, that would be perhaps a 99% reduction in their
>> value as a target, and a 25% reduction for everyone outside their customer/RP
>> community in the single-point-of-failure attack surface.  That's pretty good, if
>> you ask me.
>>> 
>>> If these annotations were of a standard format and user-modifiable, it
>> would also provide an easy platform for supporting additional trust lists,
>> whether provided by your IT department, the EU, or an independent
>> organization like the Tor Project.
>>> 
>>> Shades of Convergence / Omnibroker, but with defaults opted-in to by the
>> CAs themselves that give some immediate benefit to even non-technical users
>> who won't customize their trust list.
>>> 
>>> This system could also let us deal with cases where national audit /
>> accreditation schemes and auditors are found to be inadequate: CAs audited
>> by such bodies, rather than to an international standard, might be restricted
>> to only that language community; thus reducing risks to the global Internet
>> without interfering in local sovereignty.
>>> 
>>> -Brad
>>> 
>>> 
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>>> 
>> 
>> 
>> This transmission may contain information that is privileged, confidential,
>> and/or exempt from disclosure under applicable law. If you are not the
>> intended recipient, you are hereby notified that any disclosure, copying,
>> distribution, or use of the information contained herein (including any
>> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in
>> error, please immediately contact the sender and destroy the material in its
>> entirety, whether in electronic or hard copy format.
> 




More information about the Public mailing list