February 21, 2006

Major Browsers and CAs announce Balkanisation of Internet Security

GeoTrust, recently in trouble for being phished over SSL, has rushed to press a defensive PR that announces their support for high assurance SSL certificates. As it reveals a few details on this programme, it's worth a look:

The new High Assurance SSL certificate standard, which is being defined by leading browser companies including Microsoft, Mozilla and Opera, in partnership with Certificate Authorities including GeoTrust and VeriSign, as well as the American Bar Association Information Security Committee, will entail a higher level of business verification than any Certificate Authority's current vetting methods. Additionally, High Assurance SSL certificate identity information will be clearly displayed in the new-generation browsers, so that consumers will easily be able to discern that they are indeed at the site they think they are, and not a fraudulent version of a popular website.

The new specification for verifying identities for the new High Assurance SSL certificate is expected to be finalized in the coming months. The vetting process will be much more comprehensive than any Certification Authority's current vetting standards, which primarily rely on email and faxed information, database lookups and phone calls before issuing an SSL certificate. Today, these processes vary from Certificate Authority to Certificate Authority, and encompass an array of manual and automated processes. Key to the new High Assurance certificates is a standardized process across Certificate Authorities for verifying information that will include: verifying the organization's identity; verifying that the would-be purchaser has the legal authority to make the SSL certificate request for that organizational entity; and confirming that the entity is a legitimate business, not a shell or false front entity.

OK, what can we learn from that? The browser manufacturers and the CAs have teamed up. Mozilla and Opera are being teased out of the closet. The specification has not been completed, but the "speed" of the phishing onslaught is overtaking the measured response of the ones that know better.

My own view of this is that it won't work out as well as the champions are yelling it will. Primarily, it will simply shift the traffic to other areas, until a new balance is reached. In some sense this could be ludicrous, as salesmen run around following phishing victims to sell them HA certs. In other senses, the sense of strategic gameplay for those who know is just too amusing for words. In yet other senses, it proves the branding model, and proves the liability model. Unforeseen consequences in spades.

When the new balance is reached, the High Assurance will be Highly Breached, just like the GeoTrust cert of last week. That doesn't mean that this won't do some good - it surely will. But with that good comes a huge price tag, and frankly, it looks like it is not worth the price that user sites will have to pay. Especially in comparison to the better and cheaper solutions that have been designed and developed over the 2-3 years since this was first proposed.

A Microsoft Internet Explorer developer's weblog has published extensively on the new security features in IE 7, the work of the browser and Certificate Authority initiatives, and includes examples of how the new High Assurance SSL certificate information would display within the new Internet Explorer browser.

Chris Bailey, GeoTrust's chief technical officer stated: "For over a year, a dozen companies have been meeting to find new ways to address the issue of phishing and restore consumer confidence in online transactions. The result is that we will have one standard, with a thoroughly defined vetting process, for the issuance of High Assurance SSL certificates. While not every site will require them, it is our view that financial institutions and large e-tailers will want to convey this added assurance to their customers.

Yet more concerning is the introduction of a standardised process across CAs that will dramatically increase the cost of these certs. A dozen of them have been meeting for a year! So all this spells bad news for smaller browsers and smaller CAs, who have been excluded from the meetings and are presumably going to be pushed to implement a standard they have no control over, after everyone else has done so. Or not as the case may be.

Posted by iang at February 21, 2006 07:05 PM | TrackBack

this is the scenario where authentication has been allowed to get really sloppy and the solution is strong identification ... the individual scenario is having your complete lineage stapled to your forehead.

in general, identification scenarios involve being able to blame the correct entity after something bad happens (which may act as a deterrent) ... where-as, authentication scenarios typically are aimed at prevention.

the problem is that authentication requires that the entity being authenticated has some context for the entity doing the authentication; if that context doesn't exist ... then you fall back to some sort of detailed identification and hope that there is some information that provides basis for meaningful context.

during the x9.59 standards activity in the 90s, there was some investigation into carrying trademarks in certificates ... the certification authorities would only included trademarks for the entity that has registered the trademark with the appropriate gov. agency. hopefully the trademarks provide some meaningful context for the end-user ... and there are existing legal recourse for mis-use of trademarks.

an issue here then becomes similar to my oft repeated scenario for SSL domain name certificates ... the certification authorities still have this time-consuming, error-prone and expensive identification process of making sure that the entity applying for the certificate is the same as the entity registered with the appropriate authoritative agency (responsible for whatever the certificaition authorities are certifying for the certificate).

then somebody has the brilliant idea that when there is some registration with some authoritative agency ... that the registration entity also register their public key. then the certification authorities require that certificate applications be digitally signed. then the certification authorities can do a real-time retrieval of the registered public key from the authoritative agency and change an expensive, error-prone and time-consuming identification operation (i.e. the entity applying for the certificate is the same as the entity registered for the information being certificate) into a more reliable, less expensive, and simple authentication process.

the issue then is that if certification authorities can do real-time retrieval of public keys from authoritative agencies responsible for the information being certified ... why can't the general public also do real-time retrieval of the same public keys ... and be able to perform their own authentication ... rather than requiring certification authorities to do such authentication on their behalf and creating these things called digital certificates that are a representation of claims about (certification authorities) having performed some set of (authentication and/or identification) business processes.

an issue has been that public keys haven't been in general use ... so that authoritative agencies that are actually responsible for the information have no reason to require the registration of public keys from entities (as part of their general process). however, if public keys were to become generally used ... as in everybody applying for a digital certificate (from a certification authority), then there is an increasing expectation that entities will have public keys (for instance, one is required for a digital certificate). given sufficient expectation of public keys ... then the real authoritative agencies responsible for registered information can ressonably start to expect that they could also register public keys along with the rest of the information. then everybody being able to directly access these authoritative agencies actually responsible for registered inforatmion ... could perform their own real-time retrieval of public keys and their own authentication process (w/o requiring certification authorities as intermediaries).

A recent posting on the privacy side of this process (which is supposedly side-stepped when you are talking about identification of corporations and institutions ... as opposed to the individual)
http://www.garlic.com/~lynn/2006c.html#31 Worried about your online privacy

Posted by: Lynn Wheeler at February 22, 2006 12:41 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.