A mighty fortress is our PKI

Paul Tiemann paul.tiemann.usenet at gmail.com
Wed Jul 28 00:10:54 EDT 2010 

On Jul 26, 2010, at 10:22 PM, Chris Palmer wrote:

> Perry E. Metzger writes:
> 
>> All major browsers already trust CAs that have virtually no security to
>> speak of,
> 
> ...and trust any of those CAs on any (TCP) connection in the (web app)
> session. Even if your first connection was authenticated by the right CA,
> the second one may not be. Zusmann and Sotirov suggested "SSL pinning" (like
> DNS pinning, in which the browser caches the DNS response for the rest of
> the browser process' lifetime), but as far as I know browsers haven't
> implemented the feature.

I like the idea of SSL pinning, but could it be improved if statistics were kept long-term (how many times I've visited this site and how many times it's had certificate X, but today it has certificate Y from a different issuer and certificate X wasn't even near its expiration date...)

Another thought: Maybe this has been thought of before, but what about emulating the Sender Policy Framework (SPF) for domains and PKI?  Allow each domain to set a DNS TXT record that lists the allowed CA issuers for SSL certificates used on that domain.  (Crypto Policy Framework=CPF?)

cpf.digicert.com IN TXT ""v=cpf1 /^DigiCert/ -all"

Get the top 5 browsers to support it, and a lot of that "any CA can issue to any domain" risk goes way down.

Thought: Could you even list your own root cert there as an http URL, and get Mozilla to give a nicer treatment to your own root certificate in limited scope (inserted into some kind of limited-trust cert store, valid for your domains only)

Is there a reason that opportunistic crypto (no cert required) hasn't been done for https?  Would it give too much confidence to people whose DNS is being spoofed?

> A presentation I've given at a few security gatherings may be of interest. I
> cover some specific security, UI/UX, and policy problems, as well as some
> general observations about incentives and barriers to improvement. Our
> overall recommendation is to emulate the success of SSH, but in a browser-y,
> gentle-compliance-with-the-status-quo-where-safe way.
> 
> https://docs.google.com/present/view?id=df9sn445_206ff3kn9gs

Great slides!  The TOFU/POP is nice, and my favorite concept was to translate every error message into a one sentence, easy-to-understand statement.

Paul Tiemann
(DigiCert)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list