[cabfpub] [cabfman] Improving the security of EV Certificates

Ryan Sleevi sleevi at google.com
Wed Dec 18 23:29:31 UTC 2013

On Wed, Dec 18, 2013 at 3:23 PM, Eddy Nigg (StartCom Ltd.) <
eddy_nigg at startcom.org> wrote:

> On 12/19/2013 12:46 AM, From Hill, Brad:
>  I guess nobody knows what you’re talking about, then.
> If you mean that every individual end-user ought to manually associate
> certificates to website addresses in their browser(s) then naïve is not a
> strong enough word.
> But this is exactly how Diginotar was detected however - basically a few
> emails back I suggested that browser vendors nail the most important sites
> in their browser as "pins" and allow users to pin additional certificates
> to the respective sites. It's a very simple and efficient way to get some
> protection and allows detection for the most important sites.

So your idea is that every end-user is capable of evaluating the security
policy of the site, without input of the site operator?

And who do these users yell at when pins break? The browser? The site
operator? Do they just unpin because 'Ooops, I shouldn't have pinned this?'

The suggesting that pinning is between user+browser, rather than
site+browser, is certainly a far worse model, utterly incomprehensible and
providing no value to end users.

Also, the idea that we should somehow balkanize the Internet, and only the
"very important ones" get security, at the discretion of browsers, is a
terrible one. CT provides protection for every single user and site
operator on the Internet - surely you can agree that has value?

Regardless of the views of pinning, however, the continued failures of the
WebTrust and ETSI audit schemes to "prevent" mis-issuance has demonstrated
to root store operators that it is no longer acceptable for continued trust
in CA operations. By requiring audits be transparent - which CT does - it
provides a much better trust signal to root stores and their users that the
participating CAs are deserving of trust. A simple audit letter from an
AICPA accountant or a qualified auditor is no longer sufficient, as the
continued events demonstrate.

That is yet another way in which CT and pinning are vastly different.

> I assume it's the same thing Rick referred to a few emails back as well.
> It's something that can be implemented easily at the client software as
> Google has already shown and the interested folks that have some
> understanding can refine it for their use.
> I'm sure I'm not alone who uses the word "pinning" or to "pin a
> certificate" for this.

If they do, I'm happy to explain why this is a terrible idea that would
never work :)

>   Regards      Signer:  Eddy Nigg, COO/CTO    StartCom Ltd.<http://www.startcom.org>
> XMPP:  startcom at startcom.org  Blog:  Join the Revolution!<http://blog.startcom.org>
> Twitter:  Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131218/a3d6270e/attachment-0003.html>

More information about the Public mailing list