[SSL Observatory] Number of CAs
Phillip Hallam-Baker
hallam at gmail.com
Thu Dec 8 10:42:24 PST 2011
Michael Baum wrote up a relying party agreement back in 1995, it was incorporatedby reference into all the SSL certs issued at the time.
It is certainly a contract, whether it is enforceable is another matter. But it is not true to claim that nobody thought about that.
Equally, in response to Daniel, I proposed CAA before many of the schemes he refers to. The original proposal had client enforcement in. That was taken out because the DANE faction played politics. I have since proposed a security policy scheme that is a superset of Convergence etc. Sohis allegation that CAs have proposed nothing is clearly false.
Do not assume that skeptical questions imply opposition to a proposal. None of the proposals made are new. No single model is perfect. What I want to know is if people have a better answer to the problems with a model than we did ten years ago.
If the respose I get is hostility to the very idea of questioning their proposal, well I draw conclusions from that.
I think that what we are likely to converge on is to supplement the legacy deployed PKI with feedback and monitoring plus some better scheme for blocking malicious certs.
Sent from my iPad
On Dec 8, 2011, at 13:23, Patrick Patterson <ppatterson at carillon.ca> wrote:
> Hi Daniel:
>
> On 2011-12-08, at 1:08 PM, Daniel Kahn Gillmor wrote:
>
>> [reorganizing and trimming to highlight the salient point]
>>
>> On 12/07/2011 09:27 PM, Phillip Hallam-Baker wrote:
>>> On Wed, Dec 7, 2011 at 4:09 PM, Daniel Kahn Gillmor<dkg at fifthhorseman.net>wrote:
>>>> Do you think the incentives underlying the current CA model are broken?
>>>
>>> If you think 50 CAs is too many then make your case based on the
>>> number there is support for rather than inflating it.
>>
>> You'll note that the case i was making did not have to do with the
>> number of CAs, it had to do with the incentives the CAs have for
>> protecting the relying parties (i think they have no effective
>> incentives to do so).
>>
>> Do you think the incentives underlying the current CA model are broken?
>
>
> Ok - this just tickled a long time pet peeve of mine. A CA has a contract with it's Subscribers, so there is mutual responsibility, accountability and financial interest there.
>
> However, there exists no contract between the CA and a Relying Party. It is 100% up to the Relying Parties to examine the policies of a given CA, and make an active decision whether they should trust that CA or not. I HAVE seen arrangements where the relying party did enter into a contract with the CA, for details such as ensuring availability of CRL and other information above and beyond what was indicated in the Certificate Policy, but other than that, the CA has no responsibility to Relying Parties other than to follow it's policies. And a Relying Party should only trust that a CA has done so if there is an audit result from someone that the Relying Party trusts stating this.
>
> So, stating that the financial model is broken because the CA's don't protect the Relying Parties is rather strange. A possible analogy is that a relying party is acting like someone who goes into a store, is given a lot of food by that store for free, and then complains to the store when they get fat off of that free food. No-one is forcing a Relying Party to trust any given CA.
>
> Far better that the Relying Party exercise some form of discretion and responsibility. For the average user, I agree that the browsers and OS folks should help them along, but in any organisation of any size, their IT Security folks need to start taking a look at Trust management the same way they do the other topics regarding network security.
>
> All the best.
>
> ---
> Patrick Patterson
> President and Chief PKI Architect
> Carillon Information Security Inc.
> http://www.carillon.ca
>
> tel: +1 514 485 0789
> mobile: +1 514 994 8699
> fax: +1 450 424 9559
>
>
>
>
>
More information about the Observatory
mailing list