Thursday, 1 March 2012

Trust CAs? Yes. No. Probably.

So this was an interesting read on the various proposals to change the way CA based PKI works.  This lead me to want to learn more about some of the proposals, including Convergence by Moxie Marlinspkie (youtube talk here)

The Moxie talk was interesting as he talks a lot about where the trust in the CA system is and where it should be.  I think we can go even further in the analysis of the trust.

For starters the root of trust is not just the CAs, but also where the CA root certificates are stored, the browser/OS certificate store.   We also need to trust how they get in the store as well.  This is interesting as the root CA certificates would be updated (I assume) over an HTTPS connection which is ironic since we are relying of the trust-worthiness of the CA system in order to update the trust-worthiness of the CA system.  This is fine, unless there are issues with the CA system, which I think the current zeitgeist indicates there is.

There is also the browsers themselves, as if they were compromised in any way then the trust in the CA system would be broken.  I don't think people consider this to be high risk, but let's not forget that companies like Microsoft or Google are not immune from political pressure and certainly not economic pressure, especially when applied from a nation state.

To me that is the major design criteria that the CA system needs to achieve; protect people from the most powerful adversary, the government of their country.  There are other powerful adversaries, but they seem to have balancing forces; organised crime have international police forces, untrustworthy CAs have the browser vendors and economic pressures.  The government of your country does not have a balancing force (this is less so in a democratic country, but still not sufficiently balancing in my opinion).

If you really wanted to be paranoid about trust you could include the implementation and design of the algorithms used in the code that implement the cryptography.  However it's fairly easy to test that they work as expected and they can also be reverse engineered.

Moxie also mentions that any authenticity system needs to worry about who you need to trust and for how long.  I think the current CA system is not terribly broken in this way.  We can and do revoke root CA certificates, so we don't trust CAs forever and although people can argue that we shouldn't be trusting them at all, well we have for the past 20 years and the Internet hasn't broken, by in large it all works fairly well.  It's unreasonable to expect that CAs will never be bad, so as long as we have balancing forces (browser and economic pressures) then the current system works well enough.  Saying that, I would like to see the problem of any CA being able to certify any domain be solved, I think that is a glaring vulnerability in the system.

Fundamentally, users are not in a position to make a trust decision, and allowing them to choose might feel like empowering them, but in the end they will always choose the path of least resistance.  This just leaves the option of having watchers watch the system and react to problems, which obviously makes it a reactive rather than a proactive system.  So there will always be a certain amount of fraud or insecurity as a result.  Until that escalates to a point where the cost out-weighs the benefits, the current solution of a CA-based PKI is likely to remain (largely) unchanged.

No comments:

Post a comment