Re: The CA system is spectacularly broken - can the TAG help?

Harry,

I have a TAG action to update you on any news regarding the TAG's work on 
Certificate Authorities. As promised, we included an alert on this problem 
to Jeff Jaffe in a list [1] of technical issues that we think he should be 
aware of. We also discussed [2] the CA question at our F2F in January.

I think we're all agreed that this is a serious concern, a significant 
threat to the integrity of the Web, and one for which there likely aren't 
easy short-term fixes. We expect that IETF will take the lead on the many 
related technologies for which it is the responsible standards body (e.g. 
DNSSEC, etc.), and that within W3C Security Activity [3] will have 
day-to-day responsibility. The TAG will continue to monitor developments. 
Thank you again for bringing this to our attention; please feel free to 
contact us again if you feel that there are further developments of which 
we should be aware.

Noah

[1] http://lists.w3.org/Archives/Public/www-tag/2012Feb/0054.html
[2] http://www.w3.org/2001/tag/2012/01/06-minutes#item09
[3] http://www.w3.org/Security/

Tracker: this fulfills TAG ACTION-665

On 12/19/2011 6:44 PM, Harry Halpin wrote:
> While I understand the CA system is somewhat outside your usual remit,
> let me add this to your pile of woes. I'm doing this because 1) the
> system has so stunningly came apart at the seams last year that it
> seems all parties involved in the Web (ISOC, W3C, etc.) should be
> actively looking at this issue and 2) there are now three different
> proposals for fixing this.
>
> There's currently a giant gaping security issue on the Web, namely
> that the it's quite easy to fake the root certificates of a CA and so
> compromise  TLS connections - and thus most high-value transactions on
> the Web in a way that is *very* hard to detect. For a detailed
> explanation of the problem, Moxie of Whisper Systems has an excellent
> video [1]. There's been a number of very high-profile compromises,
> such as the Diginotar [2] and Comodo attacks [3]. Overall, probably
> problem #1 for security on the Web. It undermines all financial
> transactions on the Web - I'd bet money Paypal stays awake at night
> thinking about this. It's also a life and death situation for human
> rights activists in Syria, Iran, and elsewhere - who may not stay
> awake another night if the cert for their Gmail or Facebook account is
> faked.
>
> Now, over the last weeks I've seen about 3 different proposals that
> are quite serious:
>
> 1) Google's Proposal (Ben Laurie and Adam Langsley): Basically make a
> public audit log of registered certs, and then the client/domain
> owners can check their certs versus that log. That probably has some
> browser component for checking all of this [5].
>
> 2) Sovereign Key proposal from EFF (Peter Eckersley): Similar to
> Google's proposal but more complex, uses an audit log of a "Sovereign
> Key" rather than certs [4]
>
> 3) Convergence Proposal from Whisper Systems/Twitter (Moxie
> Marlinspike): Features a more decentralized CA-like system with
> user-based "trust agility" where users can choose which CA-like
> "notary" to trust via browser [6]
>
> At TPAC, I talked to some of the browser team folks about this,
> everyone agreed the CA/Browser Forum is dysfunctional (i.e. a front
> for the current broken CA system) and they would be happy to see W3C
> or someone move in this space [6]. Google notes "We now have an
> outline of the basic idea and will be continuing to flesh it out in
> the coming months, hopefully in conjunction with other browser
> vendors." [5]
>
> So maybe time for W3C to move? While I understand the TAG only makes
> "findings", I suggest that given the overlap between the Google and
> EFF proposal, I'm pretty sure there's a solution space going on here
> even if it's outside of the TAG's expertise, and that solution space
> will probably involve - browsers, and interaction with the CA/Browser
> Forum.. Sounds like it's time for W3C to make a move. I'd do an
> analysis of the topic, but also suggest that this problem is big
> enough to warrant getting folks together on ASAP.
>
> Who: I'd suggest that we return to the idea of hosting a workshop on
> this topic, and since it's a large topic, I suggest W3C co-host with
> the CA/Browser forum and maybe ISOC/IAB.
> When: Soon as possible.
>
> [1]http://www.youtube.com/watch?v=Z7Wl2FW2TcA
> [2]http://www.guardian.co.uk/technology/2011/sep/05/diginotar-certificate-hack-cyberwar
> [3]http://news.cnet.com/8301-1009_3-20050503-83.html
> [4]https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure
> [5]http://www.imperialviolet.org/2011/11/29/certtransparency.html
> [6]http://convergence.io/
>
>

Received on Monday, 27 February 2012 21:46:01 UTC