- From: Jeffrey Walton <noloader@gmail.com>
- Date: Sun, 5 Apr 2015 21:14:40 -0400
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
This just made my radar: "GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root," http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html. I understand the use case. For example, Google appears to use it for its Internet Authority G2 (https://pki.google.com) to manage it web properties (corrections please). However, the Ubiquitous Public Root program removes the independent third party auditor that performs the validation. In the past, a reseller would perform the validations and then issue the end-entity certificate under their subordinate CA. If a reseller was misbehaving, then the subordinate CA would be revoked. This economic disincentive presumably keeps resellers honest. Additionally, GeoTrust does not appear to place any name constraints on the subordinate CA they issue to the organization. Both the IETF and CA/B have name constraints that could be used to enforce the policy. The relevant documents are RFC 5280, 4.2.1.10 Name Constraints and Baseline Requirements, 9.7 Technical Constraints in Subordinate CA Certificates via Name Constraints. I think its OK to trust Google to do the right thing and issue certificates for domains under its control. But I'm not sure the same can be said about other that participate in the program, like the Bob's Used Cars or the Islamic Republic of Iran. >From the security engineering standpoint, we should not have to rely on trust here. Trust is what we use when we don't have security controls to place. In this case, we have a security control but its not being used. I think a program like GeoTrust's has the potential to undermine the entire system, and it brings into question the reliance on the system for Secure Origins and its powerful features.
Received on Monday, 6 April 2015 01:15:07 UTC