Eddy Nigg (StartCom Ltd.) wrote: > A certificate with a lifetime of one year isn't an *ongoing threat of > possibly ten years* to come. There is a huge difference! > > Supposed that a domain which was owned by someone else, isn't going to > end up within a very short time in the hands of a different owner, nor > that a sensitive web site (as for example with the startssl.com domain > name) which would prove to be a worthy candidate for such an attack, is > setup within a very short time, it is reasonable to assume that the > limitation of a certificate to a life time to one year will sufficiently > protect and prevent a MITM attack on said web site.
I don't disagree that in general CAs should limit cert lifetimes, for all sort of reasons. However I'm going to disagree with you here about the risk assessment. I think an argument from economics is more appropriate here: In the attack you're describing the attacker is basically betting on the possibility that a given domain name registered today (say, "foo.com") will be used by someone in the future. At that future time the attacker can do some DNS spoofing to redirect "foo.com" to his own site, which has a still-valid DV cert for "foo.com", issued to the attacker at some point in the past when the attacker controlled the domain. Thus the MITM protections of the DV scheme fail and the attacker is free to commit fraud. The price of the bet is the cost of registering the domain "foo.com" and getting a DV certificate for it. (There might be other costs as well, but for the purposes of this argument we can ignore them, since they won't change the overall result.) The expected gain from the bet is the typical amount realizable from attacking a real foo.com site, multiplied by the probability that the "foo.com" domain name will be reused. The expected profit is then the expected gain minus the cost. For example, suppose that the cost of the "foo.com" domain and a 1-year DV certificate for it is $30, and there's a 0.1% (0.001) probability that "foo.com" will be reused by someone else during the validity period of the certificate, and hence will be attackable in the manner described. If the amount realizable from an attack against "foo.com" is $50,000, then the expected gain from betting on "foo.com" ahead of time will be $50 ($50,000 times 0.001). The expected profit is then $20 ($50 minus $30). How does this analysis change if the cert has a longer validity period? Clearly the probability of the domain "foo.com" being reused increases, and hence the expected gain. (For example, we can assume as a first approximation that the probability of "foo.com" being reused over a 10-year period is ten times the probability of it being reused in the first year.) However the cost also increases (since 10-year certs cost more than 1-year certs), and roughly in the same proportion. Thus the expected profit associated using a 10-year certificate for this attack is not significantly different than the expected profit from using a 1-year cert. Since it's the expected profit that determines the risk of attack (the higher the expected profit, the higher the risk), (Note that the above is an oversimplification. For one thing, 10-year certs are typically sold at a discounted per-year price; e.g., a 10-year cert might only be 7 times the price of a 1-year cert rather than 10 times that price. However at the same time, from the attacker's point of view a gain received 5 or 10 years from now is worth less than a gain received in the next year, and so the expected gain has to be discounted appropriately as well. Without doing the detailed math I expect that these two effects will roughly cancel out, and the expected profit in present value terms will still be roughly the same.) > My argument is with reasons and within accepted boundaries of domain > validated certificates. Again, certificates with somewhat longer > validity should be handled accordingly (with additional validations > perhaps), but since domain validation is already the *lowest barrier* of > entry, they should be controlled accordingly with a *reasonable limited > validity*. Ten years is NOT reasonable! It borders on intent and gross > negligence! As I wrote above, I think there are good reasons for limiting the lifetime of certificates (DV or otherwise), and there are also other mechanisms by which CAs could offer multi-year discounts (for example, they could have subscribers pay up front for, say, a 10-year cert, and then issue 1-year certs renewable without charge for the next nine years). However as I've noted previously we don't specifically address cert lifetimes in our current policy, and given the economics I'm not convinced longer cert lifetimes in and of themselves drive up risk, at least in terms of your proposed attack scenario. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
