Frank Hecker: > > I don't disagree that in general CAs should limit cert lifetimes, for > all sort of reasons. I'm glad to hear that. And you are right, that there are other reasons as well. However I'm concentrating on the reason closest possible also in relation to the Mozilla CA policy. Prevention of an MITM attack is pretty much referenced in said policy. > However I'm going to disagree with you here about > the risk assessment. OK, so lets see.... > In the attack you're describing the attacker is basically betting on the > possibility that a given domain name registered today (say, "foo.com") > will be used by someone in the future. At that future time the attacker > can do some DNS spoofing to redirect "foo.com" to his own site, which > has a still-valid DV cert for "foo.com", issued to the attacker at some > point in the past when the attacker controlled the domain. Thus the MITM > protections of the DV scheme fail and the attacker is free to commit fraud. > Everything stated is correct. > The price of the bet is the cost of registering the domain "foo.com" and > getting a DV certificate for it. (There might be other costs as well, > but for the purposes of this argument we can ignore them, since they > won't change the overall result.) The expected gain from the bet is the > typical amount realizable from attacking a real foo.com site, multiplied > by the probability that the "foo.com" domain name will be reused. Correct. > The expected profit is then the expected gain minus the cost. > We aren't talking here about a possible gain in material only (money, credit cards), but also eavesdropping and acquiring information. Breached privacy is a *LOSS* for the relying party and LOST trust in the software upon which the relying party relies, which can't be measured by a financial gain (profit) only. > For example, suppose that the cost of the "foo.com" domain and a 1-year > DV certificate for it is $30, and there's a 0.1% (0.001) probability > that "foo.com" will be reused by someone else during the validity period > of the certificate, and hence will be attackable in the manner > described. If the amount realizable from an attack against "foo.com" is > $50,000, then the expected gain from betting on "foo.com" ahead of time > will be $50 ($50,000 times 0.001). The expected profit is then $20 ($50 > minus $30). > Frank, first of all your argument is lame, because you are talking about the eventual price of such an attack and apparently you seem to agree that this attack vector is real and an MITM possible. It's just a question of price and time. Nor is any expected profit anything you can judge. Classified information is sometimes more valuable than you can imagine. Your calculation is funny at best and I can turn it around just as easily. There are domains available for less then 5 bucks and stolen information more valuable than you and I can ever pay....
But seriously! I've never read in any CPS anywhere that the price of a domain name (and a certificate for that matter) is a measure applied by a CA. It's simply not a criteria a CA deals with, but measures such as checks on domain name ownership, validity period of the domain name (identity validation for higher validated certificates), re-validation and limitation of the certificate lifetime etc are. > How does this analysis change if the cert has a longer validity period? > Very obviously, a domain name can literally not be used again for any serious purpose if there is the potential of a valid and legitimate certificate in the hands of a previous owner (and potential attacker). Please read this sentence twice, three times load ;-) > Clearly the probability of the domain "foo.com" being reused increases, > and hence the expected gain. (For example, we can assume as a first > approximation that the probability of "foo.com" being reused over a > 10-year period is ten times the probability of it being reused in the > first year.) However the cost also increases (since 10-year certs cost > more than 1-year certs), and roughly in the same proportion. Thus the > expected profit associated using a 10-year certificate for this attack > is not significantly different than the expected profit from using a > 1-year cert. Since it's the expected profit that determines the risk of > attack (the higher the expected profit, the higher the risk), > No, your argument doesn't stick! The costs are not a hurdle nor do you have any clues about the potential damage. (it doesn't matter which warranties a CA gives you (in the case of this CA absolutely none - nada), the potential damage to breached privacy isn't something we can value in terms of money, but is a loss in the trust we are trying to build and sustain) However a certificate with a lifetime of ten years in the hands of a party not owning the domain name is a potential threat for TEN LONG YEARS to the current owner and the visitors of that site. Not only is the potential of this domain name being acquired during that time ten-fold and multiplied, the window of opportunity is wide open compared to a certificate with a lifetime of one year only with. The attacker can act at will, without pressure in time plan the attack carefully, wait for the best opportunity and decide when he will gain most. But most important, this is a constant unlimited threat which no one knows when this threat is going to strike. This is a very uncomfortable situation for a domain holder and his visitors, it's even worse for Mozilla as a relying party to know, that there are right now certificates out there in the hands of the wrong people!!!! > As I wrote above, I think there are good reasons for limiting the > lifetime of certificates (DV or otherwise), and there are also other > mechanisms by which CAs could offer multi-year discounts (for example, > they could have subscribers pay up front for, say, a 10-year cert, and > then issue 1-year certs renewable without charge for the next nine years). > I absolutely agree with you and some CAs are apparently doing exactly that. > However as I've noted previously we don't specifically address cert > lifetimes in our current policy, and given the economics I'm not > convinced longer cert lifetimes in and of themselves drive up risk, at > least in terms of your proposed attack scenario It has nothing to do with economics, but a lot to do with the knowledge that when I visit a web site with Firefox which has a legitimate certificate, that the site I'm visiting belongs to the right guy. This is what DV certs are all about, this is what they guaranty and this is the lowest barrier and condition of the Mozilla CA policy. - As a member of this team - and as a user and relying part of this software - and as a distributor of this software - and as an operator of a CA which has its root in this software... ...I have to insist that Mozilla makes sure to a reasonable extend that users of its software receive the legitimate and basic right to privacy and security in relation to digital certification. With domain validated certificates with a validity of up to ten years without being re-validated, this basic right can't be guarantied (and not even reasonable assumed). -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
