On 2011-12-08, at 1:52 PM, Daniel Kahn Gillmor wrote: > On 12/08/2011 01:23 PM, Patrick Patterson wrote: >> Far better that the Relying Party exercise some form of discretion and >> responsibility. > > I completely agree with you that it should work this way, except that in > a single-issuer certification model (e.g. X.509), you are bound by the > choices of the administrators of the sites you want to visit. > > What if i don't consider Entrust particularly trustworthy or reliable? > If i want a secured connection to https://www.carillion.ca/ i have to > rely on them to authenticate the connection. > > So i could "exercise discretion" and i wouldn't be able to work with > your organization. >
And, if enough people did that, we would probably change CAs, since having people work with us is more valuable than whatever cost the Certificate is. > Lots of web sites use X.509 certificates granted from GoDaddy (a > disreputable company if i've ever seen one) simply because they're cheap > and folks are short on cash these days. Other (major) organizations > rely on a CA chain where the ultimate root uses a 1024-bit RSA key > issued 12 years ago and is preposterously claimed to be valid until > 2030. Should i simply refuse to visit the web sites who've made the > decision to use these CAs? > > The mechanisms don't exist for relying parties to cleanly censure > misbehaving CAs without losing secured access to big sections of the web > themselves. And for those few who are willing to take those drastic > measures, how can they actually effect change in the existing system? > My problem is that none of the existing methods proposed will help. The problem is that the browsers and OS folks let CAs into their trust store based on a Web Audit standard that really doesn't do very much to enforce good CA behaviour, when they have this requirement at all. No amount of re-jigging the existing system is going to help - my grandmother isn't going to check the references of whatever other notary a web site choses to validate its own identity any more than she is going to check the audit of the CA that issued the original cert. So, she is going to rely not on the CA to protect her, she is going to rely on the browser vendor or OS vendor to protect her. > My argument is that the incentives which underlie the entire system are > deeply flawed if you care about relying parties at all. And if the > Relying Parties get no protection, then even the Subscribers are getting > screwed. They're not screwed by their chosen CA directly (who they have > a contract with), but by the overall system, because all their customers > are (have to be) willing to rely on every shady CA out there (50 or 350 > or 650 of them) to not provide an adversary a bogus certificate to > intercept their communications. > If all of the governments and large companies and institutions (> 1000 people) practiced active Trust Management, which is WELL within their means (it's really simple - start with an empty list - fill it with CA's after someone has demonstrated a need and you have checked the CA's references, and push the updates out via GPO), we would have a VERY good start towards cleaning up the CA landscape. If the USG, or Mercedes-Benz all of a sudden won't access a subcontractor's site because of a CA issue, I will guarantee you that subcontractor will fix that problem ASAP and change CAs to someone that is more trustworthy. And if someone is told by their IT department that they won't allow access to their bank site because a dodgy CA violates their policy, that user is going to complain to the bank, who, because probably that bank's customer mostly come from similar sized organisations (not sure what to do with co-ops and the like), will probably change their Certificate acquisition strategy. The financial incentive would then turn around, and it would make financial sense for companies to buy real, trustable Certificates from a reputable CA, than participate in the "race to the bottom" bargain bin SSL Certificates that currently is happening. The main problem with this plan, is that most security folks would look at that, and think that they don't want to be bothered by that many helpdesk calls. And the browser and OS folks also get complaints when someone's favourite CA isn't listed. Consequently, we have dodgy trust mostly out of a desire for good customer service. We all know it is easier to say yes than no. Of course, good old financial interest of companies buying certs for the least amount of money is also to blame. So I don't know what the best solution is, however, there is enough work to do on all sides (Relying Parties should be more picky, Subscribers should stop buying certs from the guy on the corner under the streetlight, large Subscribers really have no excuse and should be protecting their users better, browser and OS vendors should beef up their requirements for inclusion, and more actively purge folks that don't have a recent audit, and CAs should clean up their act out of concern for my grandmother :) Cheers, --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca
