[144426] in cryptography@c2.net mail archive
Re: Has any public CA ever had their certificate revoked?
daemon@ATHENA.MIT.EDU (Bill Frantz)
Thu May 7 22:04:19 2009
Date: Wed, 6 May 2009 14:51:13 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: cryptography@metzdowd.com
cc: paul.hoffman@vpnc.org, Peter Gutmann <pgut001@cs.auckland.ac.nz>
In-Reply-To: <E1M1gll-0000MI-6H@wintermute01.cs.auckland.ac.nz>
pgut001@cs.auckland.ac.nz (Peter Gutmann) on Thursday, May 7, 2009 wrote:
>Paul Hoffman <paul.hoffman@vpnc.org> writes:
>
>>Peter, you really need more detents on the knob for your hyperbole settin=
g.
>>"nothing happened" is flat-out wrong: the CA fixed the problem and resear=
ched
>>all related problems that it could find. Perhaps you meant "the CA was no=
t
>>punished": that would be correct in this case.
>
>What I meant was that there were no repercussions due to the CA acting
>negligently. This is "nothing happened" as far as motivating CAs to exerc=
ise
>diligence is concerned, you can be as negligent as you like but as long as=
you
>look suitably embarassed afterwards there are no repercussions (that is,
>there's no evidence that there was any exodus of customers from the CA, or=
any
>other CA that's done similar things in the past).
>
>...
>
>If a CA in a trust anchor pile does something terribly wrong and there are=
no
>repercussions, why would any CA care about doing things right? All that d=
oes
>is drive up costs. The perverse incentive that this creates is for CAs to
>ship as many certificates as possible while applying as little effort as
>possible. And thus we have the current state of commercial PKI.
It seems to me that there are a number of problems with the current CA
situation. Since no CAs have been identified by name (except Verisign for a
very old problem), it is hard for me to reduce the reputation of a specific
CA. Even if one was identified, it's not clear what I could do to move
business to more responsible CAs. So my reaction is to say that it's all a
big stinking pile and try to develop systems and procedures that don't rely
on CAs. (e.g. curl with a copy of the server's self-signed certificate, the
Petname toolbar, etc.)
If SSL/TLS had as part of its handshake, a list of CAs that are acceptable
to the client, I could configure my browser with only high-reputation CAs.
This step would probably make it desirable for servers to get certificates
from more than one CA so they could return a certificate signed by an
acceptable CA. It would certainly allow for some market pressure on CAs,
and high reputation CA might be able to charge more for certificates.
(The last time I ran into a case where the server certificate was not
signed by a CA on my browser's default list, I used the 800 number instead.
That was for activating a credit card.)
In addition, I am worried that some countries cyber-warfare department has
a copy of some well-installed CA's signing key and can generate
certificates whenever it wants. When D-day comes, it will spoof DNS and use
the certificates to disrupt the economy of its target country. If we had a
2 level security system, with CAs for the first introduction, and something
more robust for subsequent sessions, these attack scenarios would be less
likely.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | gets() remains as a monument | Periwinkle
(408)356-8506 | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
