Re: The CA system is spectacularly broken - can the TAG help?

• From: Graham Klyne <GK@ninebynine.org>
• Date: Tue, 20 Dec 2011 09:25:20 +0000
• To: www-tag@w3.org
• Message-ID: <4EF05480.5070500@ninebynine.org>

I'm offline as I reply, so I can't offer a link (*), but it's probably worth 
noting that the IETF currently has a web application security activity with some 
strong security experts engaged.  IIRC, the group tag is "WebSec".

#g
--

(*) The following message excerpt should point a path to the right places

[[
List-Id: Web Application Security Minus Authentication and Transport
	<websec.ietf.org>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>,
	<mailto:websec-request@ietf.org?subject=subscribe>

Sorry for delay, I now uploaded minutes from Taipei:

<http://www.ietf.org/proceedings/82/minutes/websec.txt>
]]


On 19/12/2011 23:44, Harry Halpin wrote:
> While I understand the CA system is somewhat outside your usual remit,
> let me add this to your pile of woes. I'm doing this because 1) the
> system has so stunningly came apart at the seams last year that it
> seems all parties involved in the Web (ISOC, W3C, etc.) should be
> actively looking at this issue and 2) there are now three different
> proposals for fixing this.
>
> There's currently a giant gaping security issue on the Web, namely
> that the it's quite easy to fake the root certificates of a CA and so
> compromise  TLS connections - and thus most high-value transactions on
> the Web in a way that is *very* hard to detect. For a detailed
> explanation of the problem, Moxie of Whisper Systems has an excellent
> video [1]. There's been a number of very high-profile compromises,
> such as the Diginotar [2] and Comodo attacks [3]. Overall, probably
> problem #1 for security on the Web. It undermines all financial
> transactions on the Web - I'd bet money Paypal stays awake at night
> thinking about this. It's also a life and death situation for human
> rights activists in Syria, Iran, and elsewhere - who may not stay
> awake another night if the cert for their Gmail or Facebook account is
> faked.
>
> Now, over the last weeks I've seen about 3 different proposals that
> are quite serious:
>
> 1) Google's Proposal (Ben Laurie and Adam Langsley): Basically make a
> public audit log of registered certs, and then the client/domain
> owners can check their certs versus that log. That probably has some
> browser component for checking all of this [5].
>
> 2) Sovereign Key proposal from EFF (Peter Eckersley): Similar to
> Google's proposal but more complex, uses an audit log of a "Sovereign
> Key" rather than certs [4]
>
> 3) Convergence Proposal from Whisper Systems/Twitter (Moxie
> Marlinspike): Features a more decentralized CA-like system with
> user-based "trust agility" where users can choose which CA-like
> "notary" to trust via browser [6]
>
> At TPAC, I talked to some of the browser team folks about this,
> everyone agreed the CA/Browser Forum is dysfunctional (i.e. a front
> for the current broken CA system) and they would be happy to see W3C
> or someone move in this space [6]. Google notes "We now have an
> outline of the basic idea and will be continuing to flesh it out in
> the coming months, hopefully in conjunction with other browser
> vendors." [5]
>
> So maybe time for W3C to move? While I understand the TAG only makes
> "findings", I suggest that given the overlap between the Google and
> EFF proposal, I'm pretty sure there's a solution space going on here
> even if it's outside of the TAG's expertise, and that solution space
> will probably involve - browsers, and interaction with the CA/Browser
> Forum.. Sounds like it's time for W3C to make a move. I'd do an
> analysis of the topic, but also suggest that this problem is big
> enough to warrant getting folks together on ASAP.
>
> Who: I'd suggest that we return to the idea of hosting a workshop on
> this topic, and since it's a large topic, I suggest W3C co-host with
> the CA/Browser forum and maybe ISOC/IAB.
> When: Soon as possible.
>
> [1]http://www.youtube.com/watch?v=Z7Wl2FW2TcA
> [2]http://www.guardian.co.uk/technology/2011/sep/05/diginotar-certificate-hack-cyberwar
> [3]http://news.cnet.com/8301-1009_3-20050503-83.html
> [4]https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure
> [5]http://www.imperialviolet.org/2011/11/29/certtransparency.html
> [6]http://convergence.io/
>

Received on Tuesday, 20 December 2011 10:13:25 UTC