Background Recently I have read the problem of Mozilla and CNNIC. Many years ago, I was a cryptography researcher, I worked on this problem when my country – Vietnam – started working on a central PKI. Vietnam is similar to China, the possibility of being cheated by rogue certificates created under government's pressure is the risk people must anticipate. I designed a mechanism to add another protection layer to the current trust model, which may solve this problem quite elegantly.
The mechanism * When the user agent software (usually a web browser) obtains a certificate which the agent has never seen, it uses encrypted communication to report the fingerprint of that certificate to a central intrusion detection server. If the server determines that the certificate is suspicious, it will request the user agent software to send the certificate and additional information to the server as the evidence of violation. If this communication fails, the failure can be treated the same way as failure of CRL or OCSP. * The user agent software caches the fingerprint of the certificate similar to openssh's known_hosts file to bypass this process on futher visits, saving bandwidth. The encrypted communication may be https to maximize the reuse of existing code base, or a more lightweight protocol to save bandwidth. * The intrusion detection server should determine that the certificate is suspicious on the first time the certificate has been seen by the server. If the server doesn't want to store too many certificates, it may choose to only be suspicious about sensitive domains, which is more likely to be choosen by eavesdroppers. The server may have a mechanism to inform the owner a certificate if there are other certificates issued with similar information such as host name, company name, etc. * If a CA creates a rogue certificate, the evidence will be clear, allowing for adequate punishment of violators, justice will be redeem later by relevant parties, users should not have to care about this issue. But there may be an optional "paranoid mode", informing user each time the intrusion detection server determines that a certificate is suspicious. Analysis of the mechanism: * By default, there is no new user interface feature, for the users, it just works. Relevant parties will watch over the problem. * It strengthens the existing trust model. Even a prestigious CA with a perfect process comes with risks: usually the weakest link in a cryptography system is the people using it, the people managing the CA may be corrupted or under pressure of the authority, or has some personal desire to abuse the power. * The fingerprint is very short so the overhead is very low, should be lower than OCSP. Probably the different between using and not using this mechanism won't be noticeable to users. Conclusion I believe this mechanism will add a missing link to improve our trust model. "The love of money is the root of all evil", people has not forgoten the case Verisign corrupts DNS, abuse it's trusted status, we are putting too much trust on the list of CA, it's time to add a protection layer allow us to punish potential violator of justice. Please comment -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
