Hello,
I wanted to run an idea past the Mozilla community that's sort of
half-baked, but maybe the community can help flesh it out. This is mostly a
personal idea of mine at this point, but if there is enough interest /
support it might become a DigiCert initiative.
The idea is motivated by the idea that it's absolutely impossible to
determine with any confidence whether a particular certificate can be
replaced within a 24 hour or a five day period (unlike many of the
participants whose experience here is hypothetical, I've done my time in the
trenches). Many customers can safely replace, with various degrees of
expense and effort, but many customers can't replace safely, and the
incentives all point in the wrong direction, so getting reliable information
to make determinations is a real challenge, and very time consuming. And as
much as I love crypto agility, not having anyone get hurt or die is also
pretty high on my priority list. And there are some cases where that's
exactly what's on the table.
As I stated in Bergamo, instead of trying to apply band-aids to this very
broken process, I think we need to entirely rethink how we do things in
order to make any progress. So I'm going to start throwing out some ideas
that might work, and maybe we'll eventually converge on a solution that has
a chance of working. Because the current system doesn't.
This is just the first of a bunch of proposals, so here we go:
If a publicly-trusted certificate is difficult to replace, for various
regulatory or technical reasons, the real reasons do not magically appear
when rotation is necessary. But a host of fake reasons are likely to arise
("we can't rotate certificates faster because it costs money we don't want
to spend"). Furthermore, making progress on this problem would be greatly
assisted by better information about exactly which certificates can't be
replaced, the timescale on which they CAN be replaced, and why.
The world would be better if we all knew, IN ADVANCE, which certificates are
automatically replaceable, and which aren't. This would also greatly
streamline operations when replacements are necessary, as it removes the
burden on making the determinations with a ticking clock, which is a
situation that doesn't lend itself to careful and unbiased evaluations.
This would make things better in a number of ways:
1. For organizations that do use automation, or are able to deal with
the agility requirements, the certificates just get revoked on the agreed
upon timelines. No discussions, no exceptions. This would be the standard
way certificates work going forward.
2. For organizations that can't, we would have transparent information
about the existence of the issue, the nature of the problem, and the
severity (feasible timeline). This would aid in efforts to evaluate an
implement methods to reduce the scope and severity of the WebPKI agility
issues. Currently, we never find out about these issues until replacement
is needed, and at that time it's too late to do anything.
3. Once the information is available, it will be much easier to have
reasonable discussions about the nature and distribution of problems, what
the root causes are, and how various regulations and industry practices can
be changed to encourage and enhance crypto agility, instead of holding it
back.
4. And furthermore, it would be better if these disclosures came
directly from the subscribers, because they are the only ones in a position
to know the ground truth. Subscribers could be held publicly accountable
for the accuracy and reasonableness of their determination and need.
5. Hopefully, the need to declare their inability to rotate
certificates would "encourage" organizations to improve their crypto agility
until they no longer needed to appear on the list of people holding back
WebPKI agility. It would also allow requirements to be written about what
practices are acceptable and what aren't, and compliance with timelines to
move away from questionable practices could be monitored easily.
The information could even be contained in a certificate extension, so that
the rotation practices of these organizations is transparent. That would
then make it possible to track the effectiveness of initiatives to reduce
the barriers to rotation of WebPKI certificates. There's even a chance we
could actually use the information to make revocation and rotation better,
instead of just arguing about it on internet forums!
One potential downside is that this would make critical certificates stick
out like a sore thumb, but I think on balance, the transparency is more
valuable than the disclosure risk. I've never been a huge security by
obscurity fan, anyway.
I realize this would be a major change to how we do things, but we've been
having this exact same conversation about certificate replacement for pretty
much the entire decade I've been involved at CABForum, and I think it's time
for radical change. If this isn't the right idea, it at least gives a sense
of the kind of change that is needed to make progress here, and I would love
to hear any other potential ideas for how we finally exit the traffic circle
and start moving forward again.
-Tim
