Ben,
Some comments on your post. Please understand that I'm not being
defensive about EV, or claiming that it's perfect - I just want to test
your arguments a little bit.
Ben Bucksch wrote:
EV solution by the "CA/Browser Forum": A bunch of CAs came up with a
proposal of a new cert standard. Mainly, it mandates the checks that the
CA has to do to verify the certificate holder. They are intended to be
sold to high-profile sites like eBay.com, and cost $1000/year upwards.
Just to be clear: They are not _intended_ to cost $1000/year upwards;
the CAB Forum had no discussions on and makes no mandates about pricing.
(That would fall foul of antitrust law.) However, that seems to have
been the average price at which CAs have launched the new certs.
Don't be followed by the language and length, though. "Qualified
Independent Information Sources" could probably simply be a phonebook,
and a "site audit" is a clerk looking at the sign on the street and
peeking in the lobby. That's not what *I* would call an "audit".
Right. But how many phishers have an office with a street sign saying
"eBay" and a lobby?
The "phone number verification" happens by calling the number and seeing
who answers (Me at 0900-123456: "Microsoft, how can I help you?")
(16(b)(2)(A)+(C)). So, I could apply as Microsoft, supply them my
number, answer as Microsoft, and that's the verification.
Except you can't, because there won't be any information sources which
confirm that your number belongs to Microsoft. Because it doesn't.
To top it,
this number can then be used to verify the signature, with "a response
from someone who identifies themselves as such person confirming that
he/she did sign the applicable document".
I think you misunderstand the purpose of this step. It's to make sure
that a rogue employee doesn't apply for a certificate using the name of
someone else at the company who would be authorised to make the
application.
Maybe I have overlooked
something, but I could give them the address of eBay, or my address with
an eBay sign,
I don't think any information source would confirm that your address
belonged to eBay.
This whole thing has lots of loopholes. Given the experience and market
pressures, we have to assume that the CAs use the absolute minimum and
cheapest standards that still pass the guidelines, and they'll automate
as much as possible.
That's certainly true. However, it's also true that the advantage of a
written standard is that it can be updated in response to new threats.
So if, for example, someone gets an EV cert and uses it for phishing, we
can analyse how they did it and tighten up the guidelines to close the
loophole. With the previous, different-with-every-CA, ad-hoc procedures,
that sort of thing wouldn't have been possible.
Also, there are really heavy statements in there, e.g. the liability
(37(a); see also
<https://financialcryptography.com/mt/archives/000862.html>: If the CA
followes the EV guidelines and the user gets ripped off, the CA is not
liable at all - be it due to hole in the guidelines or other reasons.
Is this a change from how things work currently?
Even worse, though, if the CA *fails* to follow the guidelines, and the
user gets ripped of *because of that*, the liability of the CA is
limited to $2000 - not even per case, per cert/CA customer.
it says "$2000 per Subscriber or Relying Party per EV Certificate". This
means that if ten people are ripped off, they can claim $2000 each.
However, I agree that this is a little bit low.
Even a
single normal phishing incident is easily higher than that. That's
particularly sobering considering that a cert *costs* $1000-2000 - that
means I could set up a CA and sell certs to everybody including the
mafia and not verify certs *at all*,
Except that you wouldn't pass the Webtrust EV audit and no browsers
would EV-enable your root (if it even got in in the first place).
We need to connect online business with real world business. I want to
have somebody to sue - who won't vanish when poked at. And I want that
the info in the cert is actually correct.
I really thing that every CA-issued certificate must be verified using
the following steps:
Just to check: you mean _every_ CA-issued certificate? If so, you need
to propose a way to get from where we are now to the place you want to be.
Say we wrote our own guidelines, and said to all the CAs "unless every
cert you issue meets these, we'll yank your root". Who do you think
would blink first?
1. Using the official state register of companies to verify company
name and representing natural person
What about issuing certs to people or organisations which aren't companies?
What about countries where there is no such register, or it's unreliable?
2. Acquiring written signature (original) of that person
3. Checking the signature against the ID card / passport of that person
One draft of a precursor document to the EV guidelines included a
requirement for a site visit, and that you had to meet up with the
applicant and take a photo of them with their government issued ID, and
record the number thereon. I still think this was a great idea, but
unfortunately I was not in a majority.
This, and pretty much only this, will ensure that the card holder really
is who he claims to be, in real life, as seen by the government and
courts. Thus, before EV, I assumed that the above is performed for the
$100/year certs.
Really? There's no way any CA could make money doing this at $100 a
cert. In the US, there are networks of companies which will do site
visits and this sort of verification for you, but in other countries,
there aren't. Such a visit would cost several hundred dollars to have
performed.
Note that I think that natural persons and small companies should also
be able to get an EV cert, from the start.
But then how can your step 1), above, work?
We could e.g. then show the cert holder name next to the domain name in
the urlbar, so that the real world name is a trust root, in addition to
the domain.
Their legal business name? Or their "trading as" name? Or the real name
of the person at the company who made the application?
However, the real world company name may then be just as much a phishing
target as the domain name is now. We'll not only have international
character sets (compare IDN), which we can't easily escape from as we
did with domains, but there'll be another class of attack of similar
seeming company names, e.g. is Shell Books a subsidary of Shell Oil
Company or not or is "e Bay Auctioners, Inc." a part of eBay?
Indeed. There's no substitute for a pair of human eyes on each
application - which I believe EV requires (section 24).
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
