[SSL Observatory] On Whitelisting through Audits (Was: Some thread that started out worthless)

Tom Ritter tom at ritter.vg
Fri Nov 4 05:13:05 PDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 11/4/2011 12:47 AM, Phillip Hallam-Baker wrote:
> I can't give a figure right now. But we should be able to get a figure once the minimum criteria for DV issue are applied.
> 
> It should be somewhere between 30 and 50 entities performing the domain validation part of the criteria after the dust settles.
> 
> Then there is a much larger number of resellers some of which perform some validation steps for OV validation but do not have keys and do not perform the domain name checking.

This I want to capture and discuss.

Picking an audit at random from http://www.mozilla.org/projects/security/certs/included/ I don't see any listing of identifiers for Signing Certificates - either the ultra-root, the one they use in practice, or the creepy little ones we're arguing about.  A skim through the latest CAB Draft http://www.cabforum.org/Baseline_Requirements_Draft_35.pdf (it has track changes on? it's been updated? when?) doesn't say anything about an audit listing all Signing Certificates.

It should.  Because otherwise what you said isn't true.  We _still_ won't be able to figure out what the correct figure of independent entities is, because we'll find a Signing Certificate, ask the Signer about it, and they'll give canned responses.  There's no guarantee that the auditor knew about that Signing Certificate, that it's on-site, under there control, or what.

Now, this could become the CA-CA, where the Auditor signs the Signing Certificate, but then Auditors keys go into browsers (or they're worthless and easily faked) or it starts looking like a Web of Trust - messy.  Not interested.

I am interested in being able to whitelist Signing Certificates using Audit Reports as a source.  Ideally, browsers would do this.  Less ideally - they won't, and someone will make a browser plugin or Convergence notary that does.

But we're back to the same scenario: CA gets hacked, Signing Certificate produced and delivered to bad guys.  Eventually it's found in the wild thanks to cert pinning, and shitstorm ensues.  CA can't be feasibly removed from root because it would break 25% of the internet* so the rogue signing cert is blacklisted.

So, I know this isn't the perfect place for CAB Forum Discussion, but: Audit Reports being required to list the certificates protected by the controls they audited?  Thoughts?

- -tom


* Either CA is removed from immediately, internet breaks for people; CA is removed from root after 6 month delay, in which case we're taking punitive active which is good, but not protecting people from shitty CA for 6 months which is bad; or CA is not removed.  Auditor may or may not be distrusted.
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAk6z1swACgkQJZJIJEzU09uECwCfUmaawowZ7g1sXfuEhW5obg/q
SWMAnRRvTIl/GQaxpvNASU2CCxp4Plfn
=zO8K
-----END PGP SIGNATURE-----

More information about the Observatory mailing list