Fate of Secure Origins in Question?

This just made my radar: "GeoTrust Launches GeoRoot; Allows
Organizations with Their Own Certificate Authority (CA) to Chain to
GeoTrust's Ubiquitous Public Root,"
http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html.

I understand the use case. For example, Google appears to use it for
its Internet Authority G2 (https://pki.google.com) to manage it web
properties (corrections please).

However, the Ubiquitous Public Root program removes the independent
third party auditor that performs the validation. In the past, a
reseller would perform the validations and then issue the end-entity
certificate under their subordinate CA. If a reseller was misbehaving,
then the subordinate CA would be revoked. This economic disincentive
presumably keeps resellers honest.

Additionally, GeoTrust does not appear to place any name constraints
on the subordinate CA they issue to the organization. Both the IETF
and CA/B have name constraints that could be used to enforce the
policy. The relevant documents are RFC 5280, 4.2.1.10 Name Constraints
and Baseline Requirements, 9.7 Technical Constraints in Subordinate CA
Certificates via Name Constraints.

I think its OK to trust Google to do the right thing and issue
certificates for domains under its control. But I'm not sure the same
can be said about other that participate in the program, like the
Bob's Used Cars or the Islamic Republic of Iran.

>From the security engineering standpoint, we should not have to rely
on trust here. Trust is what we use when we don't have security
controls to place. In this case, we have a security control but its
not being used.

I think a program like GeoTrust's has the potential to undermine the
entire system, and it brings into question the reliance on the system
for Secure Origins and its powerful features.

Received on Monday, 6 April 2015 01:15:07 UTC