[cabfpub] [cabfman] Improving the security of EV Certificates

Rick Andrews Rick_Andrews at symantec.com
Wed Dec 18 19:13:48 UTC 2013 

Moving back to the public list, with Eddy’s permission.

I agree with Eddy that pinning appears to be a very effective and low-cost solution. My impression is that many of the past mis-issuances were detected by Chrome’s pinning support. Is that accurate?

-Rick

From: management-bounces at cabforum.org [mailto:management-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Wednesday, December 18, 2013 9:56 AM
To: 'management at cabforum.org'
Subject: Re: [cabfman] Improving the security of EV Certificates


On 12/18/2013 07:28 PM, From Jeremy Rowley:
Pinning is more risky for unsophisticated users who could brick their systems.


I don't think so....such users would never use it, the same way such users would never investigate a log or list of certificates.


Plus, pinning becomes a market divider so I’d worry about anti-trust violations if the recommendation came from the CAB Forum.


How come, can you explain?


Transparency, in my view, is better because it requires a change only by the CAs and browsers, not by the users.  The information is then available for any researcher to digest and evaluate, not just the end user.

It's mostly the competing CAs!!!, software vendors, Netcraft and friends, and some researchers that care about it (EFF, Qualsys and some others). It's the same crowd that would use pinning too.


A headache is when another DigiNotar is compromised , issues a couple thousand certificates fraudulently, and covers it up for several months.

Truly a problem, but may be attacked from a different angel (how about different approach  to auditing?). I mean, we are doing our utmost to comply to all the various requirements and much more than that - a price we are willing  to pay because for this we are here. Now this proposal has a significant price tag for something that hasn't been tested and used over time with the "only" goal to detect the next DigiNotar.

IMO pinning can achieve the same way cheaper (for me). And again, if we could combine revocation for example, the benefit would be much bigger and trade off the expenses/efforts...

Regards



Signer:

Eddy Nigg, COO/CTO



StartCom Ltd.<http://www.startcom.org>

XMPP:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Twitter:

Follow Me<http://twitter.com/eddy_nigg>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131218/dc35686b/attachment-0003.html>

More information about the Public mailing list