Hi all,

On 22/09/11 02:30 AM, Arshad Noor wrote:
On 09/18/2011 11:59 AM, Peter Gutmann wrote:
Arshad Noor<[email protected]>  writes:

Just because you come across one compromised CA out of 100 in the browser, does not imply that the remaining 99 are compromised (which is what you are
implying with your statement).

Since browser PKI uses universal implicit cross-certification, it is indeed
the case that if one CA is compromised, all are compromised.  So Ian is
correct in his assessment.

I disagree, Peter.

In the first place, as you know, browsers have a trust-store of unique
self-signed TTP CA certificates; not cross-certified certificates.  All
SSL/TLS connections between browsers and a site with an SSL certificate
issued by one of those TTP CA's, involves a *direct* trust-chain.  A
browser user (or manufacturer) always has the ability to delete any TTP
CA certificate from their trust-store and sever the trust-chain, at
will.  Notwithstanding the fact that most users don't know anything
about trust-stores and TTP CA certificates, it does not change the fact
that these are direct and independent trust-chains that can be severed
at will.

How can one exercise will when one hasn't the understanding nor the tools? What school of human behaviour is this from?

In contract terms, this doesn't work. In tech terms, this doesn't work. In UI terms, it's a dog. In educational terms, it's a non-starter. In crypto-science terms, it's a violation of Kherckhoffs' 6th, which is now in its 128th year.

The only place it "works" is in a tiny enclave of academics who cluster at PKI conferences and the like, where they dream of a world in which users suddenly get knowledge injections in the arcania of certificate "trust" mechanics. But, these academics don't carry the consequences of it being wrong.

Secondly, if one CA is compromised, the only affected users are the ones
who still have that CA's Root certificate in their trust-store and who
happen to rely on a certificate issued by that CA (or its chain).  Any
user that has deleted the compromised CA's certificate can continue to
rely upon *other* TTP certificates/chains without worrying about the
compromised CA's certificates. They have isolated the damage can move
on.

So, we agree that the users who haven't done this are at risk? Damage can ensue? This is a dangerous situation?

Because the PKI academics have written this up in a so-complicated fashion that it is impenetrable, and because the vendors have universally agreed (conspired?) to hide this interface in the dark deep bottoms of their dialogs, this would constitute a failure of duty of care.

If the certificate needs to be removed for some real purpose, then we know it won't be. And we can state with complete clarity why. We can present your evidence as well as a dozen or more academically sound surveys.

If indeed your claim above is presented by a CA or vendor in court, this would be /prima facie/ evidence of gross (criminal) negligence [0]. IMHO, but real lawyers feel free to add & correct.

Thirdly, lets assume that the compromised CA has *explicitly* entered
into a cross-certification agreement with one or more other TTP CAs.
In such a situation, I admit that users who have removed the compromised
CA's certificate from their browser, can still become victims of a site
whose certificate was issued by the compromised CA, but whose website
administrator chose to use cross-certified path instead of the direct
path in their web-server's SSL configuration.  This will continue to
validate as a trusted chain in the browser.  However, any TTP CA that
has not revoked the compromised CA's (DigiNotar's) cross-certificate
by now and publicly notified the browser community about such a
revocation, has endangered their own business, much like DigiNotar.
This act, and the fact that the user/browser-vendor can remove the
compromised CA's certificate allows the rest of the internet community
to continue to rely on SSL connections despite the explicit cross-
certification.

Yes, thanks, underscores the case  :)

Are there problems with PKI?  I have already said, undoubtedly.  But,
these are "certificate manufacturing and distribution" problems that
must be addressed.  They are not a fundamental weakness of PKI itself.
As an analogy, let me mention that, when there is an outbreak of
salmonella in - lets say broccoli - everybody recognizes that the
tainting is caused, either in the manufacture or distribution of the
broccoli.  It might be that one or more farms, or one or more
distributors that is at fault.  While, in the short-term broccoli
production might be stopped and/or recalled, rational people recognize
that this is not a fundamental issue with broccoli itself, and do not
go around claiming that all broccoli manufacturers and distributors
are tainted or predicting that broccoli is doomed for the black-hole.

Ha. So this works coz the public knows that a broccoli scare means "throw out your broccoli." Consumers know what broccoli is.

Now substitute the word "broccoli" above with certificates. Test on any 10 users. I rest my case, m'lud.

One airplane might have fallen from the sky, gentlemen, but the sky is
not falling down on our heads.

Arshad Noor
StrongAuth, Inc.

P.S.  The use of the term "universal implicit cross-certification"
only serves to add confusion to an already complex field; you are the
only one that uses it (3 of the top 5 responses in a Google search
of this term are from this thread; the remaining two come from your
paper and presentation at IDTrust from some years ago).  It took me
a while to realize that its just your term for "independent trust-
chains" in the browser.  It might help the PKI community if we called
a spade a spade.  Thank you.

It's a good term! Add my use: There is a universal implicit cross-certification in the secure browsing PKI, and the industry knows it, or should know it.

Indeed, we can show evidence of this in Chrome's CA pinning.

iang



[0] Gross or criminal negligence is that negligence found when they know they are wrong, or they should have known they are wrong. "Or should know it" means that they have the experience and interest to know it.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to