On 30/12/08 06:45, Ben Bucksch wrote:
On 28.12.2008 14:23, Ian G wrote:
[1] disclosure, I work as an auditor
So, Ian, what are you trying to tell us? We can't yank roots. We can't
rely on audits. How are we supposed to restore and ensure proper
operation of the system?
Right. There are no easy solutions. I don't have them. What I would
avoid however is following the old prescriptions without understanding
them better. That will involve more work for all, papering over the
cracks, and in the end, less security. This is what happened to the
financial system...
Obviously, just trusting CAs blindly and hoping for the best doesn't work.
Not even an interested, security-conscious user can just walk into a CA
and verify their operations, so they *have* to rely on us.
In this I would differ somewhat :) In my time as an auditor, I have
seen very little that needs to be secret, confidential or closed [1].
In particular, all of the verification processes are more or less
available for open scrutiny already. As you yourself have shown, it was
possible for you to read the CPS and the audit opinion, and work out
that the reseller situation was as we found in the experiences. It's
also possible for anyone to buy a cert and find out what it feels like,
and today's discussion wasn't the first time this was done.
The difference is between the belief that "only" an auditor can verify
these things, and what you can really do.
Consider that Mozo musters some 150 million end-users. Probably a
million of those are interested parties. Probably 100k of those are
technically savvy and interested in security. Of those, I suggest we
can find 1000 who can read and comment on the CPS *and* review the
verification processes of every CA under consideration.
(I have seen this concept in other places. It works if you get enough
people, enough openness in thinking, and enough value on the table. It
works in open source for example.)
So, where we would be heading is this:
* reducing the scope of the audit to only those areas that cannot be
opened up.
* increasing the verification by the people over those areas that
are open, either already, or easy to open.
E.g., think about the current event. We now know far more about that
verification than the audit ever told us. It's simple: just buy a few
certs and report back.
The cost of the certs is $10 -> $100, and the cost of the audit is
$100k---> ... It's even cheaper this way.
Being able to yank roots, and relying on the auditor to verify and
ensure that the actual, day-to-day operations follow the documented
processes, and reading the process document to verify that it meets the
requirements of our policy and our user's needs, is fundamental to the
whole SSL thingy. Otherwise it's useless snake-oil, which harms users
who rely on it - on *us* (Mozilla).
Well, that is the old message from 1995. The message was constructed
before we saw how it worked in practice. Things have changed a lot
since then, especially we now know much more about open processes, and
we know how the net really works.
Instead, consider the reputational damage to the CA as the primary
vector of harm. If a CA is criticised, this hurts their business [2].
If we had independent security researchers posting on their experiences,
then this would enable a "CHOICE" style of approach to evaluating
security [3].
(Yes, there are some who believe that all CAs must be equivalent, and
all end-users are to be protected from any differences. I am pointing
out that this very core principle is a root cause of all our troubles.
It is unsustainable, and must break one day if security against a real
attacker is to be the intent. There is no real security system that
survives without end-to-end security, and the user is always the end.)
Of course, these are just my opinions, and many do not agree to them!
iang
[1] Comodo provided some confirmation of this when they stated that
much of what we were talking about they *could* open up but would only
do it if all CAs were required to. E.g., it is closed for commercial
reasons, not security or verification reasons.
[2] This particular time it failed to reach the press in any big way
(for reasons you can speculate on).
[3] By CHOICE I mean the consumer magazine in some countries where the
suppliers are kept at distance. This would be the exact opposite group
to CABForum for example, where users are kept at distance.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
