Fixing SSL (was Re: Dutch Transport Card Broken)
Ian G
iang at systemics.com
Thu Jan 31 19:55:11 EST 2008
Eric Rescorla wrote:
>>> (as if anyone uses client certificates anyway)?
>> Guess why so few people are using it ...
>> If it were secure, more people would be able to use it.
>
> No, if it were *convenient* people would use it. I know of absolutely
> zero evidence (nor have you presented any) that people choose not
> to use certs because of this kind of privacy issue--but I know
> of plenty that they find getting certs way too inconvenient.
In a CA I have something to do with, I'm observing a site
that just started experimenting with client certs (100
users, will reach 1000, maybe more).
When we discovered that the certificate includes PII
(personally identifying information) and the website stores
additional PII, the service was directed to drop all
additional PII, and some thought was put into the in-cert PII.
Current view is that the service must engage the user in a
contract to accept the storing of that in-cert PII,
otherwise it must not store the info in the cert (which
means no identity, no persistence, and no point to the
client certs).
Writing contracts and securing agreement of course is a
barrier, a burden. If this were a general requirement, then
this would be enough (imho) to not recommend client certs,
because contracts need lawyers, they cost real money, they
don't solve the problem, and not recommending them is
likewise unacceptable.
(Then, as you say, there are convenience issues.)
This is an experiment to force client certs to be used, so
they are plugging on. It's a CA so it is trying to prove
that there is value in these things.
So... there are two slight variations that could be
employed. Firstly, all data placed in the cert could be
declared public in advance, and then no contract is required
to use it in a context that is compatible with public data.
That is, the question of the contract is pushed to the CA/CPS.
(You mentioned that the premise is that it is all public
data...)
Another variation is to switch to username + password, of
course, in which case the username is freely given and
expected to be stored (certs being more or less invisible to
users, so we can presume no such).
(definately open to other ideas...)
The PII equation is particularly daunting, echoing Lynn's
early '90s experiences. I am told (but haven't really
verified) that the certificate serial number is PII and
therefore falls under the full weight of privacy law & regs
... this may sound ludicrous, but privacy and security are
different fields with different logics. If that is true,
the liability is far too high for something that should be
private, but is already public by dint of its exposure in
certificates. Privacy liabilities are sky-high in some
places, and not only that, they are incalculable,
unknowable, and vary with the person you are talking to.
So a superficial conclusion would be "don't use client
certificates because of the privacy issues" although the
issues are somewhat more complex than "PII revealed in SSL
key exchange."
As I say, they'll plug on, as they need to prove that the
cert is worth issuing. It's a data point, no more, and it
doesn't exactly answer your spec above. But I'm having fun
observing them trying to prove that client certs are worth
any amount of effort.
iang
PS: normal disclosures of interest + conflicts, included.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list