Hi Kyle, On 03/10/16 19:41, Kyle Hamilton wrote: > WoSign is known to be cross-signed by several independent CAs (as well as 1 > CA which is no longer deemed to be independent). If it wished to bypass > any attempt to distrust it, all it would have to do is be cross-signed by > another CA. Because we don't have any idea how many cross-signing links > actually exist to it, it's inappropriate to proceed on the hypothesis that > all have been found and properly added to a CRL.
CT and crt.sh mean we have a fairly good idea of what cross-signed exist. You say "all they have to do", but cross-signing another CA is a rare process, involving both a significant amount of money and a lending of reputation. If a CA were in the process of being partly or totally dis-trusted by major root stores, it is unlikely that some other CA would want to issue such a cross-signing certificate. > Instead, public keys need to be able to be individually distrusted, no > matter what identities they're certified with or who they're certified by. > Once a CA's public key is distrusted, cross-certificates of that key would > no longer be valid certification paths. I can't speak for other vendors, but I believe that Mozilla's OneCRL allows, among other things, distrusting a cert by public key. > The primary reason why CAs have historically not been fully and > unilaterally distrusted is because of the damage that would be done to the > certified end-entities by distrusting the One Certificate Chain that can be > provided via TLS. We need a means to provide multiple certificate chains > simultaneously, with 1/N of those chains needing to pass verification in > order for the connection to be deemed authentic. This might be a good enhancement to TLS - the ability to present multiple certificates and chains. While you are there, please add the ability to use multiple hash algorithms on a cert :-) > This protocol would have permitted end entities to have multiple > certificate chains from multiple providers, so that they wouldn't have had > to go into crisis mode if one of their providers was distrusted. The question would be: how many sites would bother to set this up? Because if it's your mechanism for mitigating TBTF, then you need it to be adopted by most sites, otherwise the systemic issues you point out remain the same. I actually think that TBTF is not a problem in practice, and with CT providing verifiable timestamps in certs, it is not going to be a problem in either theory or practice very soon. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
