Re: Has any public CA ever had their certificate revoked?
At 6:02 PM +0200 5/8/09, R. Hirschfeld wrote: > > Date: Tue, 5 May 2009 10:17:00 -0700 >> From: Paul Hoffman > > > the CA fixed the problem and researched all related problems that it >> could find. > >>From what I've read of the incident (I think it's the one referred >to), Comodo revoked the bogus mozilla.com cert and got their reseller >Certstar (who issued it) to start performing validation. Correct. >Security >common sense might suggest that they validate all certs previously >issued by Certstar and check the validation procedures of their other >resellers. Do you know whether they did so? Comodo publicly said they did. That's why I said "researched all related problems that it could find". >The former seems a major >undertaking and commercially delicate. And yet they appear to have done it. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
> Date: Tue, 5 May 2009 10:17:00 -0700 > From: Paul Hoffman > the CA fixed the problem and researched all related problems that it > could find. >From what I've read of the incident (I think it's the one referred to), Comodo revoked the bogus mozilla.com cert and got their reseller Certstar (who issued it) to start performing validation. Security common sense might suggest that they validate all certs previously issued by Certstar and check the validation procedures of their other resellers. Do you know whether they did so? The former seems a major undertaking and commercially delicate. Ray - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
pgut...@cs.auckland.ac.nz (Peter Gutmann) on Thursday, May 7, 2009 wrote: >>If SSL/TLS had as part of its handshake, a list of CAs that are acceptable to >>the client, I could configure my browser with only high-reputation CAs. > >Uhh, how is that meant to work? The client hello message would include the list of acceptable CAs. The server could use that list to select an acceptable certificate to return to the client. In the rare cases where there is a client certificate, the server hello could include a similar list and the client could use it to select an acceptable certificate. If the lists aren't included in the hello messages, the behavior is the same as the current versions of SSL/TLS. >In any case even if it did, every time you went to a site using a cert vending >machine not on your list the browser wouldn't let you connect (or at least not >without serious amounts of messing around, which means that eventually you'd >add it to your list just to get rid of the nuisance). Yes, I know I'm way out in left field, but I just might not go to a web site if I cared about security with my transaction and the site didn't use a reasonable CA. There are many alternatives both with competitor organizations, and competitive communication techniques. For example, if I didn't like the CA my bank used, I could either change banks or do my banking by phone or in person at a local branch. I have avoided many sites that want user names and passwords, or want me to turn on Javascript. The popularity of the noscript plugin for Firefox means that perhaps I'm not the only one "out in left field". Cheers - Bill --- Bill Frantz| gets() remains as a monument | Periwinkle (408)356-8506 | to C's continuing support of | 16345 Englewood Ave www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
Bill Frantz writes: >So my reaction is to say that it's all a big stinking pile and try to develop >systems and procedures that don't rely on CAs. (e.g. curl with a copy of the >server's self-signed certificate, the Petname toolbar, etc.) The problem with this is that recent changes in browser UI (particularly in FF3) make it really, really hard to work with anything but cert-vending- machine certificates. It could be argued that of all the (public) CAs out there, CACert is the most trustworthy because they're the only one not motivated by money to crank out as many certs as possible as cheaply as possible (although the last time I checked they also do email-verification- only certs, so it may be more a theoretical advantage than a real one). Of course with the universal implicit cross-certification present in browsers this is all a moot point because the whole thing is only as secure as the least reliable, least digilent sub-sub-sub-CA in the whole dogpile (insert Matt Blaze PKI quote here). >If SSL/TLS had as part of its handshake, a list of CAs that are acceptable to >the client, I could configure my browser with only high-reputation CAs. Uhh, how is that meant to work? In any case even if it did, every time you went to a site using a cert vending machine not on your list the browser wouldn't let you connect (or at least not without serious amounts of messing around, which means that eventually you'd add it to your list just to get rid of the nuisance). This is unfixably broken. We've been trying the same broken thing for fifteen years now and it still hasn't started to work. The solution is to look at alternatives like mechanisms that protect relationships (challenge-response mutual auth like TLS-SRP and TLS-PSK), not a nonfunctional mechanism which, even if it worked perfectly, could only protect mostly-meaningless names. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
pgut...@cs.auckland.ac.nz (Peter Gutmann) on Thursday, May 7, 2009 wrote: >Paul Hoffman writes: > >>Peter, you really need more detents on the knob for your hyperbole setting. >>"nothing happened" is flat-out wrong: the CA fixed the problem and researched >>all related problems that it could find. Perhaps you meant "the CA was not >>punished": that would be correct in this case. > >What I meant was that there were no repercussions due to the CA acting >negligently. This is "nothing happened" as far as motivating CAs to exercise >diligence is concerned, you can be as negligent as you like but as long as you >look suitably embarassed afterwards there are no repercussions (that is, >there's no evidence that there was any exodus of customers from the CA, or any >other CA that's done similar things in the past). > >... > >If a CA in a trust anchor pile does something terribly wrong and there are no >repercussions, why would any CA care about doing things right? All that does >is drive up costs. The perverse incentive that this creates is for CAs to >ship as many certificates as possible while applying as little effort as >possible. And thus we have the current state of commercial PKI. It seems to me that there are a number of problems with the current CA situation. Since no CAs have been identified by name (except Verisign for a very old problem), it is hard for me to reduce the reputation of a specific CA. Even if one was identified, it's not clear what I could do to move business to more responsible CAs. So my reaction is to say that it's all a big stinking pile and try to develop systems and procedures that don't rely on CAs. (e.g. curl with a copy of the server's self-signed certificate, the Petname toolbar, etc.) If SSL/TLS had as part of its handshake, a list of CAs that are acceptable to the client, I could configure my browser with only high-reputation CAs. This step would probably make it desirable for servers to get certificates from more than one CA so they could return a certificate signed by an acceptable CA. It would certainly allow for some market pressure on CAs, and high reputation CA might be able to charge more for certificates. (The last time I ran into a case where the server certificate was not signed by a CA on my browser's default list, I used the 800 number instead. That was for activating a credit card.) In addition, I am worried that some countries cyber-warfare department has a copy of some well-installed CA's signing key and can generate certificates whenever it wants. When D-day comes, it will spoof DNS and use the certificates to disrupt the economy of its target country. If we had a 2 level security system, with CAs for the first introduction, and something more robust for subsequent sessions, these attack scenarios would be less likely. Cheers - Bill --- Bill Frantz| gets() remains as a monument | Periwinkle (408)356-8506 | to C's continuing support of | 16345 Englewood Ave www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
At 1:02 AM +1200 5/7/09, Peter Gutmann wrote: >Paul Hoffman writes: > >>Peter, you really need more detents on the knob for your hyperbole setting. >>"nothing happened" is flat-out wrong: the CA fixed the problem and researched >>all related problems that it could find. Perhaps you meant "the CA was not >>punished": that would be correct in this case. > >What I meant was that there were no repercussions due to the CA acting >negligently. We agree fully, then. >This is "nothing happened" as far as motivating CAs to exercise >diligence is concerned, you can be as negligent as you like but as long as you >look suitably embarassed afterwards there are no repercussions (that is, >there's no evidence that there was any exodus of customers from the CA, or any >other CA that's done similar things in the past). This assertion is probably, but unprovably, wrong. I suspect the CA now has better mechanisms in place to check for the problem in the future, and I suspect that a few other CAs seeing the kerfuffle probably added their own automated checks. Note that these are checks that should have been in place before the error was found. >Imagine if a surgeon used rusty scalpels and randomly killed patients, or a >bank handed out money to anyone walking in the door and claiming to have an >account there, or a restaurant served spoiled food, or ... . The >repercussions in all of these cases would be quite severe. However when >several CAs exhibited the same level of carelessness, they looked a bit >embarassed and then went back to business as usual. ...because not only did no one die, but also the CAs were able to fix the problem. >The CA-as-a-certificate- >vending-machine problem (or "rogue CA" if you want to call it that) had been >known for years (Verisign's "Microsoft" certificates of 2001 were the first >case that got widespread publicity) but since there are no repercussions for >CAs doing this there's no incentive for anything to change. s/no/small/ > >>This leads to the question: if a CA in a trust anchor pile does something >>wrong (terribly wrong, in this case) and fixes it, should they be punished? > >If a CA in a trust anchor pile does something terribly wrong and there are no >repercussions, why would any CA care about doing things right? Slight worry about making a more serious mistake than happened here. >All that does >is drive up costs. The perverse incentive that this creates is for CAs to >ship as many certificates as possible while applying as little effort as >possible. And thus we have the current state of commercial PKI. Fully agree. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
Paul Hoffman writes: >Peter, you really need more detents on the knob for your hyperbole setting. >"nothing happened" is flat-out wrong: the CA fixed the problem and researched >all related problems that it could find. Perhaps you meant "the CA was not >punished": that would be correct in this case. What I meant was that there were no repercussions due to the CA acting negligently. This is "nothing happened" as far as motivating CAs to exercise diligence is concerned, you can be as negligent as you like but as long as you look suitably embarassed afterwards there are no repercussions (that is, there's no evidence that there was any exodus of customers from the CA, or any other CA that's done similar things in the past). Imagine if a surgeon used rusty scalpels and randomly killed patients, or a bank handed out money to anyone walking in the door and claiming to have an account there, or a restaurant served spoiled food, or ... . The repercussions in all of these cases would be quite severe. However when several CAs exhibited the same level of carelessness, they looked a bit embarassed and then went back to business as usual. The CA-as-a-certificate- vending-machine problem (or "rogue CA" if you want to call it that) had been known for years (Verisign's "Microsoft" certificates of 2001 were the first case that got widespread publicity) but since there are no repercussions for CAs doing this there's no incentive for anything to change. >This leads to the question: if a CA in a trust anchor pile does something >wrong (terribly wrong, in this case) and fixes it, should they be punished? If a CA in a trust anchor pile does something terribly wrong and there are no repercussions, why would any CA care about doing things right? All that does is drive up costs. The perverse incentive that this creates is for CAs to ship as many certificates as possible while applying as little effort as possible. And thus we have the current state of commercial PKI. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
At 6:44 PM -0400 5/5/09, Jerry Leichter wrote: >On May 5, 2009, at 1:17 PM, Paul Hoffman wrote: >>...This leads to the question: if a CA in a trust anchor pile does something >>wrong (terribly wrong, in this case) and fixes it, should they be punished? >>If you say "yes", you should be ready to answer "who will benefit from the >>punishment" and "in what way should the CA be punished" >The same question can be asked about *any* instance of criminal behavior, or >of any other kind of behavior that is considered "bad enough" to be worthy of >punishment. Tautologically so. >As for what your punishment as a "bad CA" should be: Realistically, in any >industry based on trust, the major component of punishment should be loss of >trust - which results in people refusing to do business with you any more, >which will usually put you out of business. Even with this definition, there was no significant punishment in this case. I'm not saying there should be, particularly because the CA cleaned things up fairly rapidly, but only a few people probably have reduced their trust of the CA in question. >In egregious cases, we send people to jail (where they can spend time with >Bernie Madoff). We also have mechanisms that aren't punishments but deal with >the equities of the situation: They try to right the wrongs. So if I can >show that your malfeasance as a CA led to my losing money, you have to >compensate me. That has never been shown in a case of CAs not following their stated procedures. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
On May 5, 2009, at 1:17 PM, Paul Hoffman wrote: ...This leads to the question: if a CA in a trust anchor pile does something wrong (terribly wrong, in this case) and fixes it, should they be punished? If you say "yes", you should be ready to answer "who will benefit from the punishment" and "in what way should the CA be punished" The same question can be asked about *any* instance of criminal behavior, or of any other kind of behavior that is considered "bad enough" to be worthy of punishment. To go to the extreme: The victim is already dead, jailing the murderer won't bring him back - all you are doing is costing society directly (we have to pay the costs of keeping him in jail - quite expensive, actually) and indirectly (we won't have the fruits of his labor - like, say, new file systems). We punish acts to send a message that certain things are unacceptable, to deter the actor and others, out of a sense of justice, and for other related reasons. The beneficiaries are *everyone else*. The strength of Tit For Tat as a strategy shows that motives like this tap into very basic properties of multi-party games. As for what your punishment as a "bad CA" should be: Realistically, in any industry based on trust, the major component of punishment should be loss of trust - which results in people refusing to do business with you any more, which will usually put you out of business. In egregious cases, we send people to jail (where they can spend time with Bernie Madoff). We also have mechanisms that aren't punishments but deal with the equities of the situation: They try to right the wrongs. So if I can show that your malfeasance as a CA led to my losing money, you have to compensate me. There's a whole grey area in between that centers on the principle that you should not be allowed to profit from you ill-gotten gains - whether or not we can figure out how to return those gains to those who rightly should have them. Theirry Moreau has already pointed out that political/economic reality here makes any meaningful punishment impossible. That's way the CA industry can't ever really be a trust industry - you can't rely on a party who disclaims all responsibility, no matter what. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
On 05/05/09 14:01, Thierry Moreau wrote: Before the collapse of the .com market in year 2000, there were grandiose views of "global PKIs," even with support by digital signature laws. Actually, it turned out that CA liability avoidance was the golden rule at the law and business model abstraction level. Bradford Biddle published a couple of articles on this topic, e.g. in the San Diego Law Review, Vol 34, No 3. The main lesson (validated after the PKI re-birth post-2002) is that no entity will ever position itself as a commercially viable global CA unless totally devoid of liability towards relying parties. Thus no punishment is conceivable beyond the Peter's opinions (they are protected by Freedom of speech at least). That was predicted by the Brad Biddle analysis 12 years ago. we had been brought in to help word-smith the cal. state electronic signature law. there was some legal types who very clearly differentiated what was required for something to be considered "human signature" (implication that something has been read, understood, agrees, approves, &/or authorizes) and PKI "digital signatures" used for authentication. we've periodically commented that there may be some cognitive dissonance because both terms contain the word "signature". slightly related pontification http://www.garlic.com/~lynn/2009g.html#48 regarding this recent article mentioning SSL Inventor: SSL security woes are really the fault of browser design http://www.fiercecio.com/techwatch/story/inventor-ssl-security-woes-really-fault-browser-design/2009-05-05 -- 40+yrs virtualization experience (since Jan68), online at home since Mar70 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
Paul Hoffman wrote: At 4:11 PM +1200 5/5/09, Peter Gutmann wrote: Thierry Moreau writes: Now that the main question is answered, there are sub-questions to be asked: 1. Has any public CA ever encountered a situation where a revocation would have been necessary? Yes, several times, see e.g. the recent mozilla.org fiasco, as a result of which nothing happened because it would have been politically inexpedient to revoke the CA's cert. Peter, you really need more detents on the knob for your hyperbole setting. "nothing happened" is flat-out wrong: the CA fixed the problem and researched all related problems that it could find. Perhaps you meant "the CA was not punished": that would be correct in this case. This leads to the question: if a CA in a trust anchor pile does something wrong (terribly wrong, in this case) and fixes it, should they be punished? If you say "yes", you should be ready to answer "who will benefit from the punishment" and "in what way should the CA be punished". (You don't have to answer these, of course: you can just mete out punishment because it makes you feel good and powerful. There is lots of history of that.) Before the collapse of the .com market in year 2000, there were grandiose views of "global PKIs," even with support by digital signature laws. Actually, it turned out that CA liability avoidance was the golden rule at the law and business model abstraction level. Bradford Biddle published a couple of articles on this topic, e.g. in the San Diego Law Review, Vol 34, No 3. The main lesson (validated after the PKI re-birth post-2002) is that no entity will ever position itself as a commercially viable global CA unless totally devoid of liability towards relying parties. Thus no punishment is conceivable beyond the Peter's opinions (they are protected by Freedom of speech at least). That was predicted by the Brad Biddle analysis 12 years ago. Regards, -- - Thierry Moreau - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
At 4:11 PM +1200 5/5/09, Peter Gutmann wrote: >Thierry Moreau writes: > >>Now that the main question is answered, there are sub-questions to be asked: >> >>1. Has any public CA ever encountered a situation where a revocation would >>have been necessary? > >Yes, several times, see e.g. the recent mozilla.org fiasco, as a result of >which nothing happened because it would have been politically inexpedient to >revoke the CA's cert. Peter, you really need more detents on the knob for your hyperbole setting. "nothing happened" is flat-out wrong: the CA fixed the problem and researched all related problems that it could find. Perhaps you meant "the CA was not punished": that would be correct in this case. This leads to the question: if a CA in a trust anchor pile does something wrong (terribly wrong, in this case) and fixes it, should they be punished? If you say "yes", you should be ready to answer "who will benefit from the punishment" and "in what way should the CA be punished". (You don't have to answer these, of course: you can just mete out punishment because it makes you feel good and powerful. There is lots of history of that.) --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
Thierry Moreau writes: >Now that the main question is answered, there are sub-questions to be asked: > >1. Has any public CA ever encountered a situation where a revocation would >have been necessary? Yes, several times, see e.g. the recent mozilla.org fiasco, as a result of which nothing happened because it would have been politically inexpedient to revoke the CA's cert. >1.1 Has any public CA ever had a disgrunted employee with too many privileges >not revoked on a timely manner? Yes. >1.2 Has any public CA ever experienced a corporate reorganization where a >backup HSM has been lost? Not explicitly lost, but sold on eBay (depending on what your definition of "public CA" is, probably more "large private-label CA", once the PKI project is scrapped no-one really cares what happens to the hardware, so just as you can buy hard drives full of financial records on eBay you can also buy HSMs loaded with CA keys. Unfortunately I'm still waiting for a browser root CA key to turn up in one :-). >2. Has any public CA ever suspected a situation where a revocation would have >been necessary? Yes, see above. >2.1 Has any public CA ever had an audit that identified mismanagement of >signature private key over some extended period of time? Again, what's "mismanagement"? Would "CA went bankrupt and ex-employees issued themselves certs in lieu of severance pay" count? Or "CA went bankrupt and there was no-one left to manage the keys, including issuing CRLs for revoked certs" count? Or ... Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
d...@geer.org wrote: No, [...] Now that the main question is answered, there are sub-questions to be asked: 1. Has any public CA ever encountered a situation where a revocation would have been necessary? 1.1 Has any public CA ever had a disgrunted employee with too many privileges not revoked on a timely manner? 1.2 Has any public CA ever experienced a corporate reorganization where a backup HSM has been lost? 1.3 ... 2. Has any public CA ever suspected a situation where a revocation would have been necessary? 2.1 Has any public CA ever had an audit that identified mismanagement of signature private key over some extended period of time? 2.2 ... Regards, -- - Thierry Moreau - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
No, but a few years ago I looked at all the certs in IE and Netscape and found that about 30% of them were from companies that were at that time no longer in existence. The expiries on those where-are-they-now certs were often as not three decades into the future. N.B., if you are willing to take "no longer baked into the browser" as effectively revocation, there is a retrospective clerical job that might be a fun project if you had some graduate student labor to assign. --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Has any public CA ever had their certificate revoked?
Subject says it all, does anyone know of a public, commercial CA (meaning one baked into a browser or the OS, including any sub-CA's hanging off the roots) ever having their certificate revoked? An ongoing private poll hasn't turned up anything, but perhaps others know of instances where this occurred. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com