[cabfpub] Difference between CA issued DV and DANE certs

[Phillip]

[Silly me, I replied to the thread on my gmail account which is subscribed to receive but not post to the list so these are a couple of days late]


On the question of whether browsers should implement DANE, it seems to me that there are two separate issues:

1) Should browsers turn on SSL/TLS when a DANE key is available?

Of course. In fact browsers should accept any key whatsoever to turn on SSL *if* the alternative is that it goes to the site with no security at all. The cost of turning on encryption is now negligible even if the security value of doing so is limited, as is the case with a self signed certificate with no countersignature.


2) Should the browser tell the user they are safe?

Of course not. Merely turning on SSL does not make someone safe. The original intention of the padlock icon signal was that it would establish the accountability of the certificate subject. Subsequent weakening of the validation requirements have turned the practical significance into 'the transport is encrypted but the endpoint could be a dalek for all I know'.

The argument for turning on the padlock for DANE seems to be that the DV certs have weakened the criteria for the padlock icon and established a precedent and that the even weaker criteria for DANE certs should be allowed to slide under as well.

I don't think that argument makes sense. Experts may know that the criteria for the padlock icon are weak but typical internet users do not. We should be working to make the padlock icon unnecessary by establishing a security policy mechanism that eliminates the need for the padlock icon. The idea that the user should have to check to see if their connection is secure was always stupid.



Coming back to something Rick said, there is a big difference between CA revocation of a cert and revocation of DNS zones.

The ICANN UDRP process is designed to handle disputes arising from trademark claims. disputes typically take months to settle. A domain can be taken down more quickly but only if the domain holder does not provide contact information or respond. Even then it takes days rather than minutes. And minutes is what you need if you are going to prevent a phishing attack.

CAs are in a somewhat better position to act quickly since they have a direct relationship with the certificate holder while domain name holders only have an indirect relationship with ICANN. To date we have no information to suggest that organized crime has been running a CA with embedded public trust anchors. There have been multiple cases of registrars run by organized crime.

The CA contract with the certificate holder allows them to act to revoke a certificate in cases where it is being used for fraud. The domain name holder does not have a contract with ICANN and in the case of country code domains, the registry may not recognize ICANN as having any role whatsoever. ICANN's 'management' of the DNS space bears a striking resemblance to the claims made by Western explorers to 'own' the entire landmass of north america after landing on a small beach. WIPO's page on 'their' UDRP makes very interesting reading.


There is actually a very good reason for this difference. The DNS is designed to make it easy for people to get access to the Internet and in particular to establish an Internet presence that is independent of their ISP or government or other control entity. Enfranchisement of the Internet population is also a security concern and a much more important one for most Internet users than Internet crime.

I am very interested in stopping Internet crime, I even wrote a book on it. But stopping crime is not the only security interest nor is it the most important. I see no reason for Internet users to be required to surrender their security interest and their enfranchisement in the Internet for the sake of a modest reduction in bank fraud that the banks themselves write off as a cost of doing business.


The only way that we can balance the interests of Internet users in enfranchisement with the desire to control Internet crime is if we approach the problem in the same way that we approach spam and provide end users with tools for filtering. Anyone can send me mail but that doesn't mean that it has to end up in my inbox. 

We really cannot expect ICANN to police the DNS zone file to keep out crooks. There are billions of DNS names registered. It is a vast and complex infrastructure that is designed to make it as easy as possible to register.

Policing the DNS is a great idea but it is only going to happen if other people and companies step up to do it. 


Revocation is an important control used by CAs but it is not the only control. Increasingly sites that host malicious code are run by entirely innocent parties that just happened to be compromised. While revoking the old cert and issuing a new one is of course very desirable in that situation it is purely precautionary and likely has no effect at all on security as the attacker compromised the Web server and (likely) not the private key. The much more important control is to clean up the infected machine and in particular strip out any leave behinds embedded in Web pages etc.

The old model of security being a duel between the attacker and defender is completely obsolete. The typical Web master today has enough difficulty getting WordPress to run at all let alone deal with the consequences of someone trying to sabotage their efforts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20121018/44be76b6/attachment-0001.html