[Cryptography] Certificates and PKI

[Ben Laurie]

On 22 December 2014 at 21:23, Benjamin Kreuter <brk7bx at virginia.edu> wrote:
> On Mon, 2014-12-22 at 13:32 +0000, Ben Laurie wrote:
>
>> Pinning does indeed not care who signed the certificate. However, it
>> introduces an apparently insurmountable problem: what happens when you
>> lose your key? And, to be clear, by "lose", I mean, "no longer have
>> access to". It seems that your website is then unavailable for
>> whatever the pin expiry time is. We don't think that's acceptable, nor
>> fixable without introducing some entity with essentially the same role
>> as a CA.
>
> How is a key any different from all the files and databases websites
> need to maintain backups for?  I think this is a tooling problem more
> than anything else:  make it easy to back up keys, and this is less of
> a problem.

We've had backups for a long time, and we still don't have easy, 100%
reliable, secure backup solutions. Not even sure we know how to create
them without involving further keys whose loss is catastrophic.

>> Dealing with leaked (i.e. usable by someone other than you) keys is
>> also problematic - how do you ever regain control of your domain if
>> you've ever had it taken over by a bad guy?
>
> Is this a worse situation than what we face with the PKI?  Right now if
> my key is leaked, I am in trouble.  I am also in trouble if any CA key
> is leaked, even if I take every precaution with my own key.
>
> I am not sure this problem is necessarily insurmountable.  If I still
> have access to my leaked key, I can use it to sign a new key -- such a
> mechanism would be necessary anyway.  Yes the attacker can also issue a
> new key and trick users who are already being attacked, but at least the
> attacker cannot do anything more than that (I can stop the attacker from
> compromising more users).  Sure, even after the attack is done users who
> were attacked will lose access until the pin expiration, which makes
> attacks somewhat more damaging, but in return we would not be reliant on
> CAs.

I don't get this: once the attacker has your key, you and he are
indistinguishable - how do you get to do anything he can't do?

>> However, I do wonder how people think a practical system with no
>> CA-like entities is supposed to work?
>
> It is supposed to work like SSH.  Yes, it is possible to be compromised
> by an active attacker with SSH, but there is only a small window of
> opportunity for the attacker.  Not many people actually check SSH keys
> when they log in for the first time, yet there are few reports of
> successful MITM attacks on SSH despite its widespread use and the high
> value of many SSH targets.
>
> One of the advantages of the SSH approach is that it makes hiding MITM
> attacks difficult.  The only way to know if a user will be warned is to
> actually try the attack; if the attack fails the user will be warned.

Isn't this like self-signed cert warnings? I.e. usually incorrect, so
justifiably ignored by most users?

> Compare that to a system with a CA-like entity, where you can compromise
> the CA and thus guarantee that your attack will not result in any
> warnings.

But if I compare the whole system, then I am back to the questions
I've raised above.

>> > How can we get the browser makers to stop buying in to the PKI
>> > fiction that does little except keep the CA business model alive?
>>
>> Propose an actual workable alternative would be a good first step.
>
> What we have now is not really working, so instead of asking for a
> "workable" alternative perhaps we should ask for a "better" alternative.

OK, then.