February 04, 2005

Musing on the CA debate: ICANN, NTK, Firefox and the devaluation of Trust (tm)!

The letter to ICANN on Verisign's conflict of interest received several additional ones agreeing, and as yet no demurrals. I'm looking forward to the response, as governance of the net is very important, and it's key that we get this conflict of interest thing before it gets us.

NTK, which sportingly referred to the antichrist of SSL sites, also pointed at an article Verisign's strategy. This analysis has it aiming to be the infrastructure behind ... well, everything. Can't say I blame them for trying, given the money involved. (Another sighting.)

Meanwhile, phishing is starting to enter the technical Internet community's open consciousness as 'a problem'. Verisign like everyone else is powerless to protect the market they invented, but there are good debates happening over on the Mozilla crypto group(s) about how to deal with it all. My goal: get Verisign's brand plastered all over Firefox, and then Verisign will make damn sure never to issue a dodgy cert to a phisher.

Few agree with me, although Amir and Ahmad have pretty much proven the case in their research. Perhaps not so curiously, CAs do agree, and Verisign tried a couple of years ago to ask for this (some press release which I no longer have). All CAs benefit from the branding approach because it allows them to do some marketing in an otherwise dysfunctional market. You can't market what can't be seen and there ain't no point in securing what ain't worth marketing...

Finally, to round out the recurring flushes of schitzophrenia derived from defending the CA's role as the trust vectors of our Internet, it transpires that our friends at Verisign have dropped the 'Trust' from their site. No longer does the logo say "The Value of Trust (tm)."

I think this is a good thing, and I'm not referring to the truly horrible HTML. Trust was a term that led people to think that by using a cert (from them, or anyone else) they had secured their trustworthy transactions. No chance! If security was that easy, we'd all be doing it by now, and "out phishing" would mean something else.

Posted by iang at February 4, 2005 02:11 PM | TrackBack

TBH I don't see the big deal here. yeah, verisign, if ordered to, could produce a dodgy cert that allows a man-in-the-middle attack on a site if traffic is routed to dodgy-cert box before going to the real site.
However, it could *still* do that even if it was just verisign. so could thawte, so could ANY widely-accepted root CA. Its a feature of the HTTPS (x509, whatever) certificate scheme.

Further, it is possible to create a HTTPS proxy, capable of seeing every transaction to anywhere - in fact, a commercial product exists which does this. the prerequisite is that it can generate such a certificate "on the fly" for any website, and convince the browser to accept it. in the commercial product, this is achieved by rolling out the proxy's own certificate to all corporate browsers so that it becomes an extra CA. however, a sub-ca cert signed by any of the big names (again, verisign, thawte, whatever) could do exactly the same thing transparently to the end user.

Posted by: DaveHowe at February 8, 2005 10:51 PM

Oh, it has always been able to do this. That's the whole point of the TTP.

The Trusted Third Party concept is that the TTP is capable of doing this, but is trusted _not_ to do this. So you could say, well, the TTP can do it, whatever, in which case, we don't need the TTP any more. We can save ourselves the money on those certs, because the guaruntee that is implied is no longer there, in which case we may as well do our own TTP roles. Or, at least that's what the original designers are likely to say when asked, I think.

But, the nub of the issue here is deeper. How do we set things up so that the TTP never ever breaches the trust implied in the term "trusted third party"? Well, the accounting trade has a thing called governance, and one of the elements of this is called a conflict of interest, which basically states that the entity in question should have no interest in doing that which we don't want it to do.

VeriSign have an interest in doing this act, and so have broken the governance model. That's a key protection, gone right there. So, if this is no big deal, then certs aren't either.

Your call?

Posted by: Iang at February 8, 2005 11:09 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.