[Cryptography] Verisimilitrust
ianG
iang at iang.org
Sat Jan 9 17:22:08 EST 2016
On 8/01/2016 09:09 am, Peter Gutmann wrote:
> From the Mozilla policy list, in a discussion about what to do about
> Kazakhstan requesting that their MITM certificate be added to the browser
> trust lists:
>
> It would appear from this information, that this CA (and probably others
> like it) is deliberately serving a dual role:
>
> 1. It is the legitimate trust anchor for some domains that browser
> users will need to access (in this case: Kazakh government sites
> under gov.kz).
>
> 2. It is the trust anchor for fake MITM certificates used to harm
> browser users, and which should thus be regarded as invalid.
>
> causing an immediate panicked response to try and find a reason to deny the
> request, because the CA/Browser Forum policies don't actually say you can't
> have an acknowledged MITM cert as a trusted root:
The problem with this is that it has been acknowledged in the past by at
least Mozilla that if there is due process - court order or user
permission - then it is OK to MITM. As this is simply awful but legal
behaviour, this is OK, and it applies to all CAs in all countries. And
we typically don't write policies that say "we'll ignore court orders"
because those courts then strike them down nor do we typically enter
into criminal conspiracies to tell our partners to ignore court orders...
In contrast there was a bit a push to try and ban MITM boxes on the
grounds that even employee permission isn't sufficient for spying on
/inter alia/ online banking.
Part of the problem is probably that Mozilla just buried the debate.
Back when I was in that group, they'd been caught twice running the
secret conversations internally, so they know things and act on things
that we have no idea over nor can govern over. Now they're caught in
the open and have to explain all that wasn't explained in the past.
If this theory is true, then they've likely been permitting MITM boxes
for friendly governments for a while... So this just amounts to normal
WASPish or WEIRD discrimination against one of the Darkistans.
> Kazakhstan has submitted the request for root inclusion:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1232689
>
> So, we really do need to have this discussion now.
>
> I think we need to formally give up on the use of the word "trust" in its
> conventional sense in relation to PKI. Browser PKI has done to the term
> "trust" what the popular press has done to the word "hacker".
If you go back to the early versions of PKI documents, they talked about
how the acceptance of the roots was based on an entry into clear
agreements and obligations to do various checks which would then be a
foundation for your risk analysis, leading to a decision to proceed -
aka trust - conducted by the relying parties.
Since then, the "popular" PKI for secure browsing found itself reversing
much of that. Agreements were made opaque, liability was buried, and
users were stripped of the analytical tools to make any sort of risk
analysis. E.g., for most of Verisign's life you weren't allowed to rely
unless you had agreed to their contracts, which basically said you had
no chance in suing them. Hobson's choice.
One could argue (and it is argued) that this was the only way to make
secure browsing work - strip the users of the tools to do the analysis -
because they had proven beyond a doubt incapable of doing it.
But sadly or otherwise, this means that trust is no longer part of the
system, or at least that trust that the PKI originally envisaged, pre 1994.
Trust is a human decision of taking a risk that things will turn out
right in the future based on past information. In contrast, that which
is called "trust" in PKI is precisely the reverse: the browser hides it
all and you carry on regardless. If trust turns up at all it is that
some browsers once told you that "you trust this site" ... which of
course is bogus.
In practice, users make a trust decision precisely once - when they
download their browser or purchase their new computer. They trust their
vendor to get it right - one decision leading to trust over years of
usage on Apple, Mozilla, Google and Microsoft platforms. Although that
trust is pretty poorly informed and mixed up with other things, it's
actually the trust that goes with branding, so it's not zero, it's quite
rational and well studied in marketing.
Which gives us another clue to the word trust - users literally cannot
trust what they do not know, and they statistically do not know the
names of the CAs, or if they do, they don't know what they do.
Which all goes on to say, pretty much anyone who's using the word
"trust" in the CA / PKI world is in a state of sin. That's ok, it's
whatever you have to do to collect a pay cheque. Everyone has to make
compromises in professional life.
> Thus it would be prudent to extend the trust list format (and the NSS code
> using it) to be able to specify additional restrictions beyond those
> specified in the CA root itself.
Yes - so the muddled thinking that goes on in the browsers is because
they have to live with the cognitive dissonance that the browser policy
departments are the certification authorities over the certification
authorities, but they can't call themselves CAs because that'll upset
their chums over at the club.
> [...]
>
> In other words certificates are going to be turned inside-out, instead of the
> cert encoding policy-related information as per X.509, we've got a third party
> (browser vendors) imposing its policy on the certificate from the outside.
Yup. Inevitable. Notice how they got into the revocation game? How
soon will it be before someone throws a switch inside and starts
delivering signed root lists? Oops, there is one that already does ;)
> We've already got the same third party overriding CAs on revocation via
> hardcoded cert blacklists,
Snap!
> and as has been shown over and over again, CAs do
> only the bare minimum of checking for anything but EV certs. So if this
> change is made we can summarise the purpose of a CA as follows:
>
> Verify identity in certs - Not really (except to justify premium-priced EVs).
> Provide policy for certs - No, the browser vendor will.
> Provide revocation info for certs - No, the browser vendor will.
> Charge money to turn off the browser warnings - Yes.
>
> So that's pretty much pared browser PKI down to its essence, a license to
> print money for a select group of companies.
Well, the scaling problem is harder. Getting certs out at
Internet-personal-scale is a hard problem, so maybe some money has to be
made somewhere to make it work. But yes, one day someone in the
browsers will figure out that certs that are too easy to spoof are no
different from certs that people create themselves.
White certs should be the same - ones that are indistinguishable from
HTTP. But the problem here is that they got it into their heads that a
cert means a signal of non-MITM-ness, not of equivalence to HTTP. Oh
dear...
iang
More information about the cryptography
mailing list