A PR by comodo points at an old KPMG document that discusses the risks that the unstable CA market is presenting to users, and by proxy browser manufacturers. The document itself assumes 19th century industrial policy in its support of lots of important committees and standards setting organisations running around and setting the rules; notwithstanding that, it does accept the basic fact that this will not be and is not a stable economic structure.
The arisal of cheap-and-cheerful certs for low budget sites back in 2002 caused KPMG to realise that there is no way for the browser to show one CA's quality against that of another. Here are some of the quotes that lay down the risks that browser manufacturers have to deal with:
"CAs generally provide different types or classes of digital certificates that have different levels if trustworthiness depending on a variety of factors, including the level of subscriber authentication performed prior to issuance. Relying parties must independently ascertain the sufficiency of these authentication procedures and the appropriateness of reliance on a given type or class of digital certification for a given application or transaction.""One of the core assumptions of PKI implementations is that relying parties (i.e., Internet users) are expected to assess the appropriateness of a particular type or class of certificate relative to its intended use."
"It is incumbent on CAs and other technology providers (I.e., browser providers) to provide user-friendly automated mechanisms for users to determine whether or not they should rely on a specific certificate."
"Browser providers should implement technical mechanisms that enable Internet users to make informed decisions regarding the trustworthiness of a particular certificate that chains to a trusted root."
Browser manufacturers need to work on this. I don't see much activity since 2002 when the report was written (Comodo points at Opera and TrustBar, and also Firefox have implemented a yellow URL bar and domain name on the status bar). They should also have a look at Appendix D "what does an SSL certificate mean?" and ask their lawyers to compare and contrast those meanings with the development of phishing.
(I'd add it here, but the PDF doesn't permit cut&paste and I had to type the above in by hand. Scary warnings were never meant to be free...)
Posted by iang at April 8, 2005 06:57 PM | TrackBacka couple recent postings somewhat related .... one regarding the economic niche for certificates:
http://www.garlic.com/~lynn/2005e.html#62
another on the use of typical SSL domain name certificates in browswer operation
http://www.garlic.com/~lynn/2005f.html#9
part of an extended explanation about certification process
http://www.garlic.com/~lynn/2005e.html#45
http://www.garlic.com/~lynn/2005e.html#51
I see another problem. Even if the browsers would mark different quality CAs chromatically the users would have to understand this.
Try making a user understand there are different shades of "secure connection" when they have problems understanding the difference between "secure" and "insecure" in the first place.