> > > > This does not mean that the certificate verification mechanics are at > fault; > it only means that CA selection protocol has not been thought out properly: > it limped along with a handful of CAs, it is showing the serious symptoms > of the malaise with hundreds. In the meantime, does anybody here have any > estimate of the number of CAs we expect to be around in the foreseeable > future? And what was the number of CAs anticipated when the current > anointment protocol was conceived? >
I think it's more subtle than that, some of the problems in brief: 1) Mozilla/Firefox either trust a CA 100% or not at all. 2) Since I can't adjust trust or have Firefox warn me that I'm viewing a site using a certificate I don't completely trust I can either remove the root certificate, and then encounter unknown certificates and deal with that, or I can manually look at EACH certificate I encounter and figure out who signed it and whether or not I trust them enough (I might trust a site that I simply read, but not to enter my credit card # for example). 3) It's very difficult even for technical users to find out who exactly signed a certificate. For example a certificate is signed by "valicert", who is that? (Tumbleweed bought Valicert and then Axway bought Tumbleweed, who the heck is Axway and what exactly do they do?). Or a certificate is signed by beTrust, who is that? (which joined up with Baltimore cybertrust to form Cybertrust, and in turn Verizon purchased the whole thing.). 4) CAs are generally not restricted in whom they can issue certs to, i.e. governmental CA's (Turkey, Holland, Denmark, etc.) are not restricted to issuing certs within .tk, .nl, .dk for example (there are good arguments for and against this, but I think it should at least be discussed, and I'd love to see a bit more user control over this). 5) There is no way for an end user to really verify the CPS/CS stuff, most CAs seem to publish them online, quite a few are out of date by several years 6) There appears to be no re-evaluation for CA's that are bought out or merge with other CAs 7) There are several suspicious and questionable looking CA's in Mozilla/Firefox, e.g.: Internet Publishing Services from Spain, they have 7 certificates, what possible need is there for 7 certificates? 8) The CA approval protocol appears to be largely fail open, they submit paperwork showing they comply with certain standards/etc at a certain time point and then there is a public comment period (where exactly?) and if no-one objects they are in. 9) there is no formal process to revoke certificates for a CA that violate the rules. Heck theres no official set of rules for them to break (one signed malware code, on hundred signed malware codes? a provably weak domain authentication process that allows people to buy certificates for domains they don't own reliably, etc.). 10) I'm not even sure whom exactly to contact about these issues or to report security problems with respect to a CA doing bad things (so I've been lurking on the list for a bit and am now posting). I've also seem these topics raised in this forum, Bugzilla, etc. and nothing much come of them which is what I expect to happen here sadly. One simple question I'd love to see answered: who exactly is in charge of this and what exactly do they do (it seems that certificate approval duty floats around between a few people). -Kurt
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
