On Tue, Mar 22, 2011 at 05:33:01PM +0200, Ciprian Dorin Craciun wrote: > >> CA's cannot be trusted to even pay attention to carefully securing > >> your certificate. B Here in the US, the government can simply ask > >> for your certificate and get it ( and possibly even use it to > >> impersonate you) > > The problem is not really whether there is a trust relationship > > between your CA provider and you, it's whether at least *one* CA is > > laxist enough that they give out certificates without thorough > > checking. Even with your self-signed approach, somebody could get a > > CA to issue a certificate that their key is good for your website, > > and impersonate it to any of your new-coming customers who haven't > > been exposed to your official key yet. > There is a project (which I'm contributing to so take this with a > grain of salt) -- Perspectives http://www.networknotary.org/ -- that > is trying to solve this problem: how to detect a MITM attack or a > "rogue" CA. > > The idea is quite simple: provide a Firefox (and in short time a > Chrome) plug-in that contacts a series of "trusted" (see below) notary > servers that give back their SSL certificate finger-print > "observations". If the browser's observed SSL certificate "matches" > the ones provided by the notaries -- with a sensible time frame -- > that everything is Ok (there could be false positives though). If not > it triggers an alarm (which could be a false negative). Therefore this > works with all kind of certificates -- self-signed, trusted CA's or > untrusted CA's. (In fact the notaries are able to "observe" both SSH > or arbitrary TLS/SSL based services certificates.) > > The trust moves from the CA to a set of peer-to-peer, geographically > distributed, independently run, notary servers (with a quorum > decision). (But like in the case of Tor (or other peer-to-peer > security systems) you could be in trouble if someone is able to take > over a great deal of the nodes.) > > Also because this is more for MITM attacks, rogue CA's can be detected > only if the "government" isn't able to redirect all traffic to the > rogue server for a large time frame. (Thus for example if government X > is able to impersonate the server only in region X, but not in other > regions, notaries in those others regions will signal the possible > rogue CA / servers.)
This is an interesting approach, I'll see if I can do something with it (; However, it also reminds me a lot of MonkeySphere [0], which leverages the PGP WoT, and allow host keys (SSH, SSL) to be signed with the admin's PGP key. This also has the effect of decentralising the key management. However, I suspect there is a risk of false positive/negative, and I'm not sur which one is the worst. I think this is definitely the problem of those decentralised approaches. Note that somebody paying a CA to issue a false certificate would be a false positive anyway... [0] http://web.monkeysphere.info/ -- Olivier Mehani <sht...@ssji.net> PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]