Re: Fate of Secure Origins in Question? from Jeffrey Walton on 2015-04-06 (public-webappsec@w3.org from April 2015)

From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 6 Apr 2015 15:24:33 -0400
To: Eric Mill <eric@konklone.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAH8yC8nJOdTUa-mDrfhii0CyZhU=k6NDBK4Oa=uW6-YHEjXvWA@mail.gmail.com>

On Mon, Apr 6, 2015 at 2:56 PM, Eric Mill <eric@konklone.com> wrote:
>
> As Peter Bowen pointed out in another thread, intermediate CAs (like Google
> G2) have since become subject to auditing requirements they were not in
> 2005.

The problem is not ex post facto auditing.

The problem is the loss of the independent third party that assesses
the validity of the signing request (the RA). Under this system, the
inmates are running the asylum.

The PKI trust model is predicated on trust with various entities
fulfilling separate roles. The trust is not transitive from a CA/RA to
an organization.

What the GeoTrust root has managed to do is create a third class of
certificate. Here are the three classes. You decide on the relative
trustworthiness:

* Extended Validation (EV) - restores due diligence checking
    and restores CA profit levels.
* Domain Validation (DV) - minimal validation by third party,
    suffered race to the bottom
* Organization Validation (OV) - no request validation by a third
    party, organization just buys their way in and can mint
    certificates, "just trust us" security model

> I hate to extend the off-topic thread more, but so it's clear, this is a
> 10-year old announcement:
> http://www.hostreview.com/news/050215geotrust.html

Yes. That was the missing piece of the puzzle for me. I am a slow
learner at times. But the problems it created still exist today. Q.v.

Its seems to me the proposal on secure origins and access to power
features is based upon a belief in EV, DV and OV provide some type of
reputational service (despite the fact the CAs don't make those
claims).

The only thing OV proves is an organization has the money to purchase
membership. Why should OV be granted access to powerful APIs when its
riskier than DV and EV, and it has fewer assurances than DV and EV?

The WebApp Sec group is creating policy and providing implementation
guidance based on a particular trust model that's not being followed.
How can the WebApp Sec group claim its not their problem when they are
predicating functionality like secure origins on it?

(And I agree with Brad that the problem was likely forged with the CAs
and the Browsers in the CA/B Forums).

Jeff

> On Mon, Apr 6, 2015 at 1:05 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>>
>> I echo Brad's suggestion to take this concern to Mozilla's security policy
>> group. Issuing unconstrained and un-audited sub-CA certs would violate
>> Mozilla's certificate policy (see section 8 of
>> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/).
>> The press release doesn't actually say such certs would be unconstrained and
>> GeoTrust should be well aware of these requirements, but it doesn't hurt to
>> follow-up and make sure.
>>
>> -Dan Veditz
>

Received on Monday, 6 April 2015 19:25:00 UTC