Re: CA Program for security researchers

2018-02-22 Thread Jakob Bohm via dev-security-policy 

On 22/02/2018 23:27, James Burton wrote:

It doesn't take that long for a CAs to do vetting checks for OV and EV
certificates when everything is handed to them on a plate. Breaking CAs
vetting procedures is not too hard.



In principle, the vetting procedures is what customers pay for and
relying parties depend on.  The automated certificate signing and
revocation systems are operational security critical infrastructure, but
logically secondary to the vetting.


The key here is that security research shouldn't cost the
researcher thousands to prove a valid point. They should be entitled to
some type of compensation from the CA.
It would be great if CAs ran a program that allowed security researchers to
get compensated after the research instead of before.



That would be my option 2 below: Getting the tested CA to sponsor the
operation.

My option 3 below, if combined with the real vetting processes of that
CA, would be another way to handle research probing (with no risk of
being accused of causing actual dangers), provided the CA can be trusted
not to do things correctly and more securely for the test certificates,
but wrong/insecurely for the real certificates.


James

On Thu, Feb 22, 2018 at 10:10 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


On 22/02/2018 22:17, James Burton wrote:


There needs to be a program that helps security researchers like myself
get
free or low cost certificates for research purposes. That EV research I
did
a while ago nearly set me back personally $4,297.

James



I think there are three main cases and an additional concern:

1. Getting real certificates from a real CA referring to real domains.
   Only secure option is to get the research sponsored by that CA,
   perhaps in exchange for giving them a longer than standard heads up of
   any results regarding their security.

2. Getting real certificates for a test/dummy domain.
   Perhaps a weakening rule can be introduced in the BRs (subject o a lot
   of discussions as this will be very controversial and potentially
   dangerous), that certificates for the .invalid TLD can be issued under
   special research terms.  However I doubt the current BR maintainers or
   the leaders of this Mozilla group will agree to that.

3. Getting invalid/test certificates for a real domain to test
   procedures.
Perhaps some CAs can be talked into setting up a special "test only,
   DO NOT TRUST" root CA running in parallel to their real trusted roots,
   allowing cheap issuance for tests and experiments.  Such a test root
   would not be in the CCADB or any root program, nor be cross-signed by
   any real roots.
Such a test hierarchy would also be useful for organizations setting
   up and testing automated certificate management systems prior to using
   those systems with real certificates.

Additionally, for the manual step verified EV and OV certificates,
issuance involves real man-hours at the CA organization.  So for such
higher grade certificates, getting them for free or on a 30 days-return
policy would not be a good thing to allow.  Even for testing.
Especially since such research certificates are probably going to
trigger additional manual revocation procedures (= more man-hours to be
paid).



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: CA Program for security researchers

2018-02-22 Thread James Burton via dev-security-policy 
It doesn't take that long for a CAs to do vetting checks for OV and EV
certificates when everything is handed to them on a plate. Breaking CAs
vetting procedures is not too hard.

The key here is that security research shouldn't cost the
researcher thousands to prove a valid point. They should be entitled to
some type of compensation from the CA.
It would be great if CAs ran a program that allowed security researchers to
get compensated after the research instead of before.

James

On Thu, Feb 22, 2018 at 10:10 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 22/02/2018 22:17, James Burton wrote:
>
>> There needs to be a program that helps security researchers like myself
>> get
>> free or low cost certificates for research purposes. That EV research I
>> did
>> a while ago nearly set me back personally $4,297.
>>
>> James
>>
>>
> I think there are three main cases and an additional concern:
>
> 1. Getting real certificates from a real CA referring to real domains.
>   Only secure option is to get the research sponsored by that CA,
>   perhaps in exchange for giving them a longer than standard heads up of
>   any results regarding their security.
>
> 2. Getting real certificates for a test/dummy domain.
>   Perhaps a weakening rule can be introduced in the BRs (subject o a lot
>   of discussions as this will be very controversial and potentially
>   dangerous), that certificates for the .invalid TLD can be issued under
>   special research terms.  However I doubt the current BR maintainers or
>   the leaders of this Mozilla group will agree to that.
>
> 3. Getting invalid/test certificates for a real domain to test
>   procedures.
>Perhaps some CAs can be talked into setting up a special "test only,
>   DO NOT TRUST" root CA running in parallel to their real trusted roots,
>   allowing cheap issuance for tests and experiments.  Such a test root
>   would not be in the CCADB or any root program, nor be cross-signed by
>   any real roots.
>Such a test hierarchy would also be useful for organizations setting
>   up and testing automated certificate management systems prior to using
>   those systems with real certificates.
>
> Additionally, for the manual step verified EV and OV certificates,
> issuance involves real man-hours at the CA organization.  So for such
> higher grade certificates, getting them for free or on a 30 days-return
> policy would not be a good thing to allow.  Even for testing.
> Especially since such research certificates are probably going to
> trigger additional manual revocation procedures (= more man-hours to be
> paid).
>
>
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: CA Program for security researchers

2018-02-22 Thread Jakob Bohm via dev-security-policy 

On 22/02/2018 22:17, James Burton wrote:

There needs to be a program that helps security researchers like myself get
free or low cost certificates for research purposes. That EV research I did
a while ago nearly set me back personally $4,297.

James



I think there are three main cases and an additional concern:

1. Getting real certificates from a real CA referring to real domains.
  Only secure option is to get the research sponsored by that CA,
  perhaps in exchange for giving them a longer than standard heads up of
  any results regarding their security.

2. Getting real certificates for a test/dummy domain.
  Perhaps a weakening rule can be introduced in the BRs (subject o a lot
  of discussions as this will be very controversial and potentially
  dangerous), that certificates for the .invalid TLD can be issued under
  special research terms.  However I doubt the current BR maintainers or
  the leaders of this Mozilla group will agree to that.

3. Getting invalid/test certificates for a real domain to test
  procedures.
   Perhaps some CAs can be talked into setting up a special "test only,
  DO NOT TRUST" root CA running in parallel to their real trusted roots,
  allowing cheap issuance for tests and experiments.  Such a test root
  would not be in the CCADB or any root program, nor be cross-signed by
  any real roots.
   Such a test hierarchy would also be useful for organizations setting
  up and testing automated certificate management systems prior to using
  those systems with real certificates.

Additionally, for the manual step verified EV and OV certificates,
issuance involves real man-hours at the CA organization.  So for such
higher grade certificates, getting them for free or on a 30 days-return
policy would not be a good thing to allow.  Even for testing.
Especially since such research certificates are probably going to
trigger additional manual revocation procedures (= more man-hours to be
paid).




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: CA Program for security researchers

2018-02-22 Thread James Burton via dev-security-policy 
I didn't put this in the article because it's not relevant as an attacker
wouldn't care nonetheless.

James

On Thu, Feb 22, 2018 at 9:29 PM, James Burton  wrote:

> They tried charging the card the amount the day after the certificate was
> issued but the bank fraud department called me about the transaction and I
> refused it because it was invalid as it was within the trial period and it
> was clearly stipulated that I was only going to get charged after the 30
> days trial period is up. In the end, I managed to sort it out with them and
> didn't have to pay anything and had evidence to support myself in case I
> had to fight it in court or etc.
>
> James
>
> On Thu, Feb 22, 2018 at 9:17 PM, James Burton  wrote:
>
>> There needs to be a program that helps security researchers like myself
>> get free or low cost certificates for research purposes. That EV research I
>> did a while ago nearly set me back personally $4,297.
>>
>> James
>>
>>
>>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: CA Program for security researchers

2018-02-22 Thread James Burton via dev-security-policy 
They tried charging the card the amount the day after the certificate was
issued but the bank fraud department called me about the transaction and I
refused it because it was invalid as it was within the trial period and it
was clearly stipulated that I was only going to get charged after the 30
days trial period is up. In the end, I managed to sort it out with them and
didn't have to pay anything and had evidence to support myself in case I
had to fight it in court or etc.

James

On Thu, Feb 22, 2018 at 9:17 PM, James Burton  wrote:

> There needs to be a program that helps security researchers like myself
> get free or low cost certificates for research purposes. That EV research I
> did a while ago nearly set me back personally $4,297.
>
> James
>
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy