[Cryptography] Other obvious issues being ignored?

John Denker jsd at av8n.com
Wed Oct 21 09:19:29 EDT 2015


On 10/19/2015 06:10 AM, Thierry Moreau wrote:
> 
> What other "obvious" questions are we ignoring?

This is a fascinating, important thread.

Here's something to add to the list:

*) The fact that my operating system shipped with something like
 170 trusted "root" CAs is a problem.  When the attack surface is
 that large, it cannot be defended.  This is a profound, grotesque,
 obvious problem.

 It makes a mockery of the intended meaning of "root".

 It is a travesty that the Mozilla Foundation pays DigiCert to certify
 that mozilla.org is "trusted" ... when in effect it is Mozilla that
 decides whether DigiCert is trusted, not vice versa.

 Some small steps have been taken toward alleviating this problem 
 (pinning, transparency, cross-signing) but overall, the problem
 is nowhere near solved.

*) As an illustration of the aforementioned problem, and also
 as a problem unto itself, when the recent Superfish fiasco was
 exposed, Mozilla had no way to revoke the offending cert ... 
 and they didn't seem to think this was a problem.  They said:

>> Let's remember that root trust anchor CA certificates cannot be
>> revoked with CRLs or OCSP because certificate verification libraries
>> don't check them for revocation because the design of CRL/OCSP
>> revocation mechanisms is such that doing so doesn't make sense.

 I'm not sure I understand what they're saying.  I asked for clarification
 and didn't get any replies.  Possible interpretations include:
  -- They can't revoke the CA cert because the software is profoundly
   screwed up and they don't feel like fixing it.
  -- They can't revoke the CA cert and they don't see why that might
   be a problem.

Reference:
  https://bugzilla.mozilla.org/show_bug.cgi?id=1134506

*) As a related problem, it is ludicrous that each of those CAs
 has unlimited signing powers.  Obviously ludicrous.  For example,
 the Hong Kong Post Office could sign a certificate for irs.gov
 or microsoft.com or whatever.

 There are people on this list who think that SSLv3 signing
 constraints are not worth supporting, which I find bizarre,
 although it does make a self-fulfilling prophecy:  If the
 constraints are not enforced, nobody will bother using them.
 I'm not saying they would solve all the world's problems,
 but they could be used to reduce the attack surface somewhat.

============

Speaking of obvious, here's a super-obvious constructive suggestion:
There should be at most *one* all-powerful root CA.  If/when Mozilla 
decides to trust some CA, Mozilla should *sign* the CA, not simply
compile it into the list of trusted CAs.  This would regularize the
process of adding CAs to the list ... and revoking them when necessary.

I say "at most" one, because it would be even better to require
CAs such as DigiCert to be signed more than once.  For instance,
browsers used within the Taiwanese military might require CAs to
be signed by their own Information Assurance team, not just by
Mozilla.  They might decide they don't trust the Hong Kong Post
Office with unlimited signing powers, even though Mozilla does.



More information about the cryptography mailing list