I think there are potential applications of PKI outside phishing prevention and further that PKI by itself is not a perfect solution. There are plenty of things that could be done to improve the safety of netizens; some risks or aspects of risks can be mitigated by use of public key technologies. Different approaches and different applications could have different requriements.
Thanks for your comments; it's always good to see new perspectives in these discussions.
The root list management approach to date in MF and Microsoft has been, more or less, to identify the CA legal entity and require that they document their policies and practices and undergo an audit. Both Microsoft and Netscape used to charge a huge amount for inclusion in their root lists which ensured the CAs had something to lose if their brand was tarnished, but it also kept smaller CAs off the list (it may be worth noting that quite a few of the CAs commonly trusted have been bought or sold or gone bankrupt - what policies and practices survive change of ownership?).
Also worth noting is that buying an existing CA was one way in which new CAs could enter the market and have their certs automatically accepted, rather than having to go through the process of trying to get each and every browser vendor to include their own (new) root certs. Another way to bypass the browser vendors was to get yourself set up as a subordinate CA to a root CA whose cert was already in all the browsers.
In effect what we had (and still have to some extent) was a situation where the browser vendors artificially constrained supply in the CA market, and companies had economic incentives to find ways to evade those constraints. I also think these artificial limits on competition in the CA market caused prices for certs to remain higher than they otherwise might have.
In many ways the dynamic playing out in the CA market today reminds me of what happened to the domain registration market over the past few years: moving from a near-monopoly situation to a more fragmented market as artificial constraints on the market are gradually removed. This prospect may be alarming to some people ("what? CAs descend to the level of domain name registrars?") but I think it could actually be to our benefit, for reasons I alluded to previously: a fragmented market with low market share for any given CA makes it easier to remove CAs if needed without causing excessive disruption to users.
In any case I think there are powerful economic forces driving this transformation of the CA market, most notably forces driving commercial for-profit CA services to become just one of many ancillary services offered by integrated "web presence" vendors, along with domain name registration, web site hosting, email service, blogging systems, e-commerce hosting and back-end payment processing, etc. I hope to blog more on this soon (plus see my comments below).
An advocate in nmpc suggests driving broader adoption of SSL by changing the trust model in combination with loading additional financial exposure on the CAs (ie make their brand/reputation suffer for their mistakes and weaknesses). Others advocate raising the bar for entry into the root list through other means. I think there is merit to both approaches.
I think a lot of this debate comes down to the following: Do we try to hold on the traditional notions of what a CA is and does, or do we try to adapt to how the role of CAs might change as time goes on? Clearly there is a lot of sentiment in this forum that things like only-domain-ownership-validated SSL certs and low-assurance email certs represent a falling away from the traditional standards that CAs should meet, and may be the source of potential security risks (e.g., those related to phishing). As I've said before, this is a perfectly legitimate position to take.
On the other hand I think domain-validated SSL certs and other lower-assurance certs are not going to go away, and if anything I think they'll become more popular, because they meet the needs of a big portion of the potential customer base for certs. The thoughts on branding put forth by Ian and others to some extent represent proposals on how to manage this market transition in a controlled way, by making the CA market more like a "normal" market where people make their decisions based on their perception of vendors and their brands, as influenced by advertising, independent evaluations (e.g., Consumer Reports, J.D. Powers, etc.), and others' experiences.
However I don't think Ian is going far enough in his thinking. My hypothesis is that in a few years there may not be a CA market in the traditional sense. Instead it may be subsumed into the broader market for "web presence", and "CA branding" really becomes proxy branding for web presence providers. Consider a situation where a person or small business goes to "WebPresence Inc." and does the following:
* registers a domain * signs up for web site hosting * contracts for various add-on services from a menu of services: * IMAP and/or webmail accounts * blogging facility (to create public and/or private blogs) * chat room(s) (for public or private chat) * streaming media service (to serve up audio or video content) * advertising service (to serve up contextual ads) * Internet storefront * back-end payment processing * and so on...
Oh, and by the way, they sign up for an SSL cert for their domain, and maybe also email certs for their bundled email accounts.
What does "CA branding" do then? It shows that "www.mylittlewebsite.com" is a "WebPresence site"; in other words, it advertises "WebPresence Inc." to every person viewing the site, each of whom represents a potential customer for "WebPresence Inc." IMO this significantly changes the terms of the debate between Ian and Gerv about how end users might respond to CA branding (e.g., by switching their custom from one Internet store to another based on the first store using a dodgy CA), because it changes the purpose of the branding from a "Seal of Approval" model to a "Powered by Foo" model.
From this point of view "CA branding" becomes the web equivalent of the email signature tags inserted into messages by Hotmail and other providers. (And we all recall the great success of that practice in marketing Hotmail and other services.) And like those tags, "CA branding" doesn't depend on the site owner doing something (like inserting a "Powered by WebPresence Inc." graphic), the branding "just happens".
(Again, this whole topic of "CA branding" and how it might evolve is something else I hope to find time to blog about.)
It seems to me that internet use is increasing and therefor so is the value to be garnered by criminals. I expect the approach criminals take will be path of least resistance and that the particular attacks will vary substantially to work around changes in the landscape. So what do we do? I don't expect we will find one new technology or enhancement to an existing technology that will solve all our problems. I think the right approach is to be practical and improve things even imperfectly.
I will go further and state that our goal should be to adapt to changes occuring in CA market, as opposed to trying to hold back the tide, and to do so in a way that provides a smooth "glide path" to whatever the CA business will look like in the future. This means:
* putting standards in place that are consistent with the way CAs currently operate and are likely to operate in the future (as opposed to the way CAs were envisioned back in the dawn of the web)
* encouraging (not discouraging) more competition in the CA market and welcoming new entrants as long as they meet our minimum standards, in order to reduce the dominance of any one CA and make it easier to "turn off" a CA if this is ever needed (remember -- a threat that can't be carried out is not a credible threat)
* looking at some sort of "CA branding" scheme that provides something for users, CAs, and us
So to the topic at hand - what about the MF policy for PK root inclusion. My opinion is that there are many approaches we could take to improve the security proposition some will require a lot of work others less. The following are a few of my thoughts and suggestions.
For practical reasons I think it is easier to be tougher on the admission and more lenient on the removal side as it is much more difficult to orchestrate a reasonable removal without unduly damaging innocents such as web site operators who chose a CA that was later removed from the trust list.
Agreed, but removal becomes easier as average CA market share drops. Also, we have options short of actual removal; for example, we can put in "informational bars" (not popups) with warnings to the user.
I don't believe the bar can be set high enough on admission to the root list that it can be left unmaintained nor do I believe that any CA is capable of operating perfectly against strong policies such that thinks like revocation don't matter.
I propose a requirement that every CA whose certificates will identify ecommerce sites or software publishers must support revocation checking through standard means, say a CRL or OCSP pointer in every certificate. This could have an SLA aspect such that the OCSP or CRL not lapse (the CRL pointer should never point at a CRL whose next-udate time is three days ago).
These are good suggestions. The only problem is that Mozilla-related products do not enable CRL or OCSP checking by default, so this is irrelevant for typical users who do not change the default settings.
(Apparently there are code issues preventing us from pre-loading CRL information; CRLs currently have to be downloaded "by hand". The long-term solution is presumably parsing and acting upon CRL-related information in certs, e.g., the CrlDistributionPoint extension or whatever it is. There may also be a kludgier short-term way to turn this on using, e.g., a Firefox extension. But again, "we need a patch", as the saying goes.)
I think presentation of the CA logo leverages natural human and market systems to drive quality up for the consumer but practically this seems to be difficult as there is a UI real-estate issue - perhaps in time we will see the UI issue resolved through client software competition.
It's quite possible that it will take inclusion of "CA branding" in IE (assuming Microsoft does this as part of an overall anti-phishing strategy) to prompt Firefox developers to take a closer look at this. That's not necessarily a bad thing; Firefox has certainly looked to other browsers in the past for ideas about new features, and is none the worse for having done so.
Finally I think there is merit to having different requirements for different applications of PKI. Compare the risks of interacting with your bank, installing software, and logging into your favorite internet portal so it recalls your content preferences. In the banking case I really care about authentication and encryption as does the bank. If you interact with your bank from your computer than you (and your bank) both care about what software you install. A few good keylogging attacks in the press and we may see the priority of software publishing security increase.
We also IMO have some work to do in this area as well, for example doing a better job of protecting the integrity of mozilla.org software downloads and updates, using digital signatures and other techniques.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
