On 2012-12-31 16:18, Kai Engert wrote:
> I propose to more actively involve users into the process of accepting
> certificates for domains.
If we get away from garbage like <keygen>, PKI-based authentication
becomes a natural feature for mobile devices. This in itself render
the mentioned attacks much less useful. If you to that add an optional
X.509 extension holding a trust list, the client won't even allow you
to login to the fake site.
Anders
>
> I envision a UI where users are required to approve once, whether the
> combination of a CA and a domain is acceptable to the user.
>
> The following UI would be shown whenever a user starts a connection to a
> secure site, and the site uses a CA that has not yet been approved for
> the respective domain (or if the uses a fresh computer or a fresh
> browser profile).
>
> The following UI would only be shown, if the certificate can otherwise
> be correctly chained up to a trusted CA - the scenario that we currently
> allow to proceed automatically.
>
> Inline comments regarding the UI are wrapped using <<< >>>.
>
> ======[begin UI]======
> You are trying to open a secure connection to a remote site:
> www.my-bank.xy
>
> A connection can be secure, if the remote site can proof to be the
> legitimate owner of the site.
>
> The remote site claims to be:
> Organization = My Bank
> Name = www.my-bank.xy
> Locality = My City, Counry = XY
> [view complete site certificate]
>
> The site presented a certificate from this Certificate Authority (CA):
> Organization = "A trustworthy CA"
> Organizational Unit = Class n Certification Authority
> Country = XY
> [view complete CA certificate]
>
> <<<for domain validation certs>>>
> The CA claims to have verified that an owner of the domain is operating
> the remote site.
>
> <<<for extended validation certs>>>
> The CA claims to have verified the identity of the operator of the
> remote site, based on business registration documents, to be the
> registered owner of the site.
>
>
> Do you trust the Certificate Authority to have correctly verified the
> remote site, and that the verification is sufficient for your security
> needs?
>
> <<<user must make a choice, or the connection won't proceed>>>
> ( ) yes, for all sites in top level domain “.xy”
> ( ) yes, for all sites in domain “my-bank.xy”
> ( ) yes, for all sites in domain “www.my-bank.xy”
> (*) no, don't connect
>
> [ remember choice and continue ]
>
> <<<the system will remember the selected association of {CA, domain}>>>
> <<<future, different combinations of {CA, domain} will require anther
> confirmation>>>
>
> ======[end of UI]======
>
> Crossposted to dev-security.
> Please follow-up to dev-tech-crypto@lists.mozilla.org
>
> Thanks and Regards,
> Kai
>
>
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
