[Cryptography] Other obvious issues being ignored?

Jerry Leichter leichter at lrw.com
Fri Oct 23 07:31:17 EDT 2015


> It is a travesty that the Mozilla Foundation pays DigiCert to certify
> that mozilla.org is "trusted" ... when in effect it is Mozilla that
> decides whether DigiCert is trusted, not vice versa...
> 
> Speaking of obvious, here's a super-obvious constructive suggestion:
> There should be at most *one* all-powerful root CA.  If/when Mozilla 
> decides to trust some CA, Mozilla should *sign* the CA, not simply
> compile it into the list of trusted CAs.  This would regularize the
> process of adding CAs to the list ... and revoking them when necessary....
Step back a moment and think about where you're going.

1.  You're saying out loud what's obvious but unacknowledged:  The base of your trust is not in any CA, it's in your browser's code.  Whether open source or closed, browsers are way to complex and change way too often to be effectively audited by any outside team.  All the cryptography in the world can't protect you from attack code within your browser itself.

2.  The theory of PKCS was that everything besides the authority at the top could be changed any time.  The practice is that there are multiple untrustworthy "authorities at the top" and multiple ways to game the system, so we've come up with notions like pinning which give up on the ideas of distributed, hierarchical trust exactly in order to get back security.

3.  There's really no difference between a pinned cert and just being given the public key for the site in question.  People somehow feel that trusting the browser to give you the key is less secure than letting a CA authenticate the site - after all, the browser could lie to you - but see point 1.

4.  The whole point of certificates based on URL's is that it allows you to trust a site you've never visited.  If you've visited before, key continuity a la SSH allows gives the much more interesting assertion that the site you are talking to today is the same one you spoke to yesterday, last week, and three years ago.  You can't get that same assertion in a world of ever-shifting certificates and CA's without trusting the whole PKCS hierarchy each time you connect.  The other efforts out there to improve trust in the system, based on checking whether the cert you got matches what others have been seeing for a while, is kind of a distributed version of the same thing (though in effect it lets you assert that the site you are connecting to is continuous with the one that "we" - all the observers - have talked to in the past.)

5.  Certificates let you make *off-line* assertions.  But, even ignoring the whole issue of revocation, where's the need to make off-line assertions *when you are forming an on-line connection*?

The entire PKCS infrastructure is out there trying to solve problems hardly anyone has - and not solving problems that we all have.  At great cost to all but the CA's, who are making a nice bundle off of the current setup and have every reason to try to block any change.

I've proposed previously on this list that browser makers could simply distribute a list of public keys for the top 100,000 sites.  Forget about all the intermediaries.  Put *all* your trust where it inherently has to be, in the browser; don't *add* more trusted parties as you do today.  You can, if you like, provide *parallel* checking of the list of keys - any number of *additional* parties can sign that list.

Then solve the "trusted introduction to a new domain" problem for the tiny remaining fraction of connections made on the Web each day in a way appropriate to just that.

                                                        -- Jerry



More information about the cryptography mailing list