[SSL Observatory] On Whitelisting through Audits (Was: Some thread that started out worthless)
Phillip Hallam-Baker
hallam at gmail.com
Fri Nov 4 06:30:45 PDT 2011
Well there is CA-Browser forum and then there is this:
https://wiki.mozilla.org/CA:Communications#September_8.2C_2011
By my reading, Gerv and Kathleen should now know the answer to that
question. Though whether they can share it with us is another matter.
I don't own the speaking stick on the other part of your proposal. But it
seems sensible enough. I am pretty sure that none of the information that
is commercially valuable isn't being captured anyway.
On Fri, Nov 4, 2011 at 8:13 AM, Tom Ritter <tom at ritter.vg> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 11/4/2011 12:47 AM, Phillip Hallam-Baker wrote:
> > I can't give a figure right now. But we should be able to get a figure
> once the minimum criteria for DV issue are applied.
> >
> > It should be somewhere between 30 and 50 entities performing the domain
> validation part of the criteria after the dust settles.
> >
> > Then there is a much larger number of resellers some of which perform
> some validation steps for OV validation but do not have keys and do not
> perform the domain name checking.
>
> This I want to capture and discuss.
>
> Picking an audit at random from
> http://www.mozilla.org/projects/security/certs/included/ I don't see any
> listing of identifiers for Signing Certificates - either the ultra-root,
> the one they use in practice, or the creepy little ones we're arguing
> about. A skim through the latest CAB Draft
> http://www.cabforum.org/Baseline_Requirements_Draft_35.pdf (it has track
> changes on? it's been updated? when?) doesn't say anything about an audit
> listing all Signing Certificates.
>
> It should. Because otherwise what you said isn't true. We _still_ won't
> be able to figure out what the correct figure of independent entities is,
> because we'll find a Signing Certificate, ask the Signer about it, and
> they'll give canned responses. There's no guarantee that the auditor knew
> about that Signing Certificate, that it's on-site, under there control, or
> what.
>
> Now, this could become the CA-CA, where the Auditor signs the Signing
> Certificate, but then Auditors keys go into browsers (or they're worthless
> and easily faked) or it starts looking like a Web of Trust - messy. Not
> interested.
>
> I am interested in being able to whitelist Signing Certificates using
> Audit Reports as a source. Ideally, browsers would do this. Less ideally
> - they won't, and someone will make a browser plugin or Convergence notary
> that does.
>
> But we're back to the same scenario: CA gets hacked, Signing Certificate
> produced and delivered to bad guys. Eventually it's found in the wild
> thanks to cert pinning, and shitstorm ensues. CA can't be feasibly removed
> from root because it would break 25% of the internet* so the rogue signing
> cert is blacklisted.
>
> So, I know this isn't the perfect place for CAB Forum Discussion, but:
> Audit Reports being required to list the certificates protected by the
> controls they audited? Thoughts?
>
> - -tom
>
>
> * Either CA is removed from immediately, internet breaks for people; CA is
> removed from root after 6 month delay, in which case we're taking punitive
> active which is good, but not protecting people from shitty CA for 6 months
> which is bad; or CA is not removed. Auditor may or may not be distrusted.
> -----BEGIN PGP SIGNATURE-----
>
> iEYEARECAAYFAk6z1swACgkQJZJIJEzU09uECwCfUmaawowZ7g1sXfuEhW5obg/q
> SWMAnRRvTIl/GQaxpvNASU2CCxp4Plfn
> =zO8K
> -----END PGP SIGNATURE-----
>
--
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111104/7814d58f/attachment.html>
More information about the Observatory
mailing list