[SSL Observatory] SSL CA compromise in the wild
Steve Schultze
sjs at princeton.edu
Wed Mar 23 08:57:00 PDT 2011
On Mar 23, 2011, at 11:37 AM, Tom Ritter wrote:
>> The global validity of certificates issued by the root CAs is what
>> scares me most. There is no "natural confinement" of a CA
>> compromise. If each CA would only be allowed to issue certificates for
>> a certain domain a compromise would also only affect that domain.
>> Of course a compromise of e.g. the .com CA would still be
>> catastrophic then but I could at least safely continue to log into
>> mybank.de.
>
> I really like this idea actually. A forward-thinking company could
> obtain several SSL certs for different ccTLDs, from different CAs
> (think mybank.de, mybank.nl, myback.be). And then if their .nl cert's
> CA was blacklisted, they could seamlessly route that traffic to
> another ccTLD without major disruption. With a mechanism for service
> providers to still get 'the green address bar' and 'the little lock';
> *without* relying on an external entity's actions - I think keeping it
> a boolean is still a possibly. And a more restrictive, less open
> boolean, where we _can_ blacklist entire CAs.
Yes, there have been proposals to this effect in places like the mozilla.dev.security.policy.
The way to implement this would be with DNSName constraints per RFC 5280 4.2.1.10. However, this has not been very well implemented to date. There was a longstanding NSS bug that may or may not now implement what would be needed for Mozilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=394919
> A problem of course is trying to put the smoke back in the bottle -
> going to CAs and telling them their broad signing powers are now going
> to be restricted. It'd be extremely difficult if not impossible to
> regulate signing certs already issued, and trying to regulate them
> going forward would probably bring cries of anger from the signers who
> want to be 'grandfathered' in and have the overarching powers of the
> signers that got there first.
Yes, this is the biggest problem. Also, how do you decide which CAs have authority for which ccTLDs? Is it based on the country in which they do business? That's what Chris Soghoian has suggested.
What about non-ccTLDs?
Mozilla will soon consider name constraints for, at least, subordinate CAs:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Subordinate_CAs
> Ultimately, I don't like CAs at all, and consider the system
> fundamentally broken. It's become a business model, so it will never
> be abolished completely but... I'm hoping to see an entirely new
> infrastructure for determining Certificate Trust in my lifetime -
> maybe the DNS-based approach (but I confess I haven't read enough to
> speak intelligently on it.)
I'd put my money on keys in DNSSEC.
More information about the Observatory
mailing list