[Cryptography] The actual history of EV. Was: Well, that only took ten years

[Phillip Hallam-Baker]

OK, since you keep asking, I will tell you the reason we actually designed
VeriSign Class 3 the way we did and why (together with Melih) I called the
meeting that led to CAB Forum and EV and why Microsoft made it happen.

At this point, I am not employed by any CA (or indeed being paid by anyone)
and I am busy working on my next PKI project, the Mathematical Mesh. The
Mesh makes the Internet easy to use by making it more secure. If you are
interested, there is a mailing list where we are discussing the possible
formation of an IETF working group:

https://www.ietf.org/mailman/listinfo/mathmesh

The Mesh neither requires nor replaces CAs. However as with any technology
that makes use of cryptography and involves management of trust
relationships, it does create commercial opportunities for individuals and
enterprises with the relevant resources.


The original design brief was to enable online commerce by making use of
credit cards online at least as safe as in a store or failing that, at
least as secure as traditional Mail Order/Telephone Order (MOTO)
transactions. The principal concern.

Confidentiality was not part of the design brief. Nor was preventing
government intercept. If you recall, export browsers were limited to use of
40 bit encryption. Though that was eventually solved by Mike Meyers and
Warwick Ford developing Server Gated Crypto which allowed banks and some
others to use 128 bit crypto (albeit using RC4 so the work factor was much
less than 2^128).

The primary goal of  VeriSign Class 3 was to prevent merchants setting up
fraudulent Web Stores. This is not much of a concern today because
Amazon/EBay/Alibaba operate what are in effect a cartel which requires 95%
of merchants to sell through their portals. The model the Web has adopted
its the medieval model in which all trade takes place in walled cites where
the Lord takes a cut off every transaction in return for providing an oasis
of safety in the middle of a landscape controlled by bandits and thieves.

The tool it uses is accountability. To get a class 3 certificate, subjects
had to establish a legal presence in at least one jurisdiction that could
hold them accountable in law and the CA was responsible for validating that
claim.

The goal of class 3 was to deter merchant impersonation fraud by making it
unprofitable. Specifically, the cost of acquiring a certificate would be
greater than the gain when performed repeatedly. While it is not
particularly difficult to make a single fraudulent company registration,
doing it repeatedly and not being caught becomes very expensive. On the
gain side, the purpose of revocation is to narrow the window of opportunity
in which the certificate may be exploited.

People can argue over whether this was a good idea or not but that is what
Michael Baum, Warwick Ford and myself designed the VeriSign PKI to do. And
like it or not, that approach is so far the only open PKI that has
succeeded in becoming ubiquitous. There are other PKIs of similar scale
(EMV, Apple's Developer program) but they are all serving closed
communities and do not allow unauthorized use by relying parties.

What we did not anticipate was that when the Clinton administration finally
dropped the export controls on crypto in 2000, this turned SSL/TLS into a
general purpose confidentiality solution. This completely changed the
nature of domain validated certificates from being a cheap means to acquire
credit cards to being the gating function on use of crypto.

The CA issued trust model was adopted because it met the needs of the
design brief I was working to. While I was working at W3C, I proposed a
scheme for code signing that looks very much like a LE type approach backed
by something as close as was possible to Certificate Transparency given
that the Surety patents were still in force.

What I have proposed at multiple times since is that Web browsers should
accept any certificate whatsoever to establish an encrypted connection
without complaint. Browsers should not warn the user about self signed or
expired certs. They should merely treat them as if they were http sites
unless there was a specific indication that a stronger security policy
should apply.

The reason I proposed what became EV was that the DV certificates
eliminated the accountability required to prevent fake merchant fraud. The
reason Microsoft backed EV was they were concerned that Internet fraud
represents a vast potential liability for the browser providers. That is
why VeriSign was created in the first place - to isolate the liability from
RSA Labs in the first instance and then Netscape/Microsoft going forward.

Contrary to the claims made, VeriSign did not propose EV to increase its
profits. VeriSign had exactly no idea what I was doing at the time the
meeting was called. When I first proposed an industry effort to stop the
'race to the bottom', my VP told me to prevent any sort of industry
association being formed at all costs as it would threaten our position as
market leader. Why bother trying to develop new products in a market
growing by 20% a year? Much easier to attempt to increase margins and
preserve market share. The NYC meeting was held in the 4 month interval
between his sudden departure from the company and the appointment of his
replacement: FYIFV

Of course these days, everyone seems to be very willing to mansplain to me
the reasons why we did what we did. But I was there. I know what I did and
why.


But that is all history and what interests me now is the present. In 2016 a
dictator managed to use compromise of the DNC systems to perform a
reputation attack that installed a corrupt property developer in the White
House. The task we face now is to deploy strong end-to-end security
ubiquitously and hang the consequences.

The Mesh is designed to make that possible.

To privacy advocates, I say that the Mesh provides the capabilities you
need to make strong end-to-end security actually easier than the present
Internet. The reason TLS is ubiquitous is that it makes no demands of the
user for attention or time yet it is remarkably secure. We can and must
design end-to-end systems as easy to use and we must make them open.
Signal, KeyBase and the rest provide security, but they are dead ends
because they are closed services. The problem isn't solved until
alice at signal.com can call bob at keybase.com without both having to create
accounts on the same system.

To the Certificate Authorities, I say that you have made a lot of money
over the years from my designs in the past. You can ride the WebPKI train
for a decade at least and it will continue to deliver revenues, you can be
content to attempt to increase margins and preserve market share. Or you
could take a gamble on the possibility that PHB's latest idea could make
you even more money than the ones that are making money for you now.

https://www.ietf.org/mailman/listinfo/mathmesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20190816/48c02144/attachment.htm>