[Cryptography] Certificates and PKI

Guido Witmond guido at witmond.nl
Wed Dec 24 14:01:46 EST 2014

On 12/23/14 12:18, Ben Laurie wrote:
> On 22 December 2014 at 15:47, Guido Witmond <guido at witmond.nl> wrote:
>> On 12/22/14 14:33, Ben Laurie wrote:

>> If we think CAs are not a good solution, how is it the
>>> registries/registrars magically are?
>> The missing ingredient is a way for the end user to identify when a
>> site's TLSA-records gets compromised.
>> For that, each site needs to run their own CA, sign their server
>> certificate with it and publish their own CA-cert in DANE.
>> The user agent (browser) can pin the domain name and CA-cert together at
>> first contact. It's Trust-on-First-use, agreed. But for that we have CT
>> to provide a historic view, reducing the amount of trust at first.
> OK, so DANE + pinning + CT? I'm not entirely sure about including
> pinning (because of the aforementioned difficulties). However, seems
> like a step in the right direction, but I still end up back where I
> started:
> a) (If pinning is in the picture): what is done about failures as I
> originally asked?

There are some possible failures:

1: a site owner accidentally destroys their private CA key. They have to
go the public route via the news, as Bear described in his example on
Amazon. The user needs to reset their pinning. It must be clear to users
that it is an emergency measure, unlike current errors/warnings about

2: the private key of the private CA of a site leaks and the thieves use
it to sign a server certificate for their fake bank site. They try to
lure victims to their fake site. Browser rejects based upon mismatch
with pinned version and a missing entry in CT. If thieves submit their
server cert to CT, it will get detected.

3. A service provider provides key storage for private CAs private keys
and does certificate signing for its customers. This provider gets
hacked and it comes to light. This provider gets known as Diginotar.

> b) How do we prevent CT from being spammed?

Only the site owner (who owns the site's private CA) can sign valid
certificates. Just rate limit to a low number of certs per domain.

> c) What do we do when badness is detected using this system?

See a). I thing that coming up with a protocol to do automatically
handle the bad stuff is giving criminals/governments the mechanisms to
abuse. I hope that someone can prove me wrong.

Regards, Guido Witmond.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141224/7ea3f82c/attachment.sig>

More information about the cryptography mailing list