<Lots of statements concerning how CAs work> For the past five years, CA certificates have been divided into Domain Validated and Extended Validated. As some of you know, I instigated the process that led to the creation of EV certs because I was very worried about the low quality of many DV certificates.
Some DV certificates are of very low quality. Which is why I would like to see the padlock icon phased out entirely. Why does the user need to know if encryption is being used at all? Actually the reason the user need to know that encryption is being used is quite an interesting one and has to do with the lack of a security policy layer for the Internet. If we could guarantee that encryption would always be used when visiting a site where there is a certificate, there would be no need for the padlock icon. But that is a digression. The problem raised by many people here is that a site example.com can get an SSL certificate with the highest available assurance level but a MITM attack can be performed with a low assurance certificate obtained from any of the CAs listed in the browser roots. There are two possible means of attacking this problem 1) Provide a means for determining if a certificate is authorized for use 2) Sanction CAs that issue unauthorized certificates The TLSFP approach only allows the first approach to be employed. My approach, publication of the authorized CA roots permits both approaches to be employed. The way I see this working is that each CA would publish a record that customers could publish in their DNS zone to state that other CAs should not issue certs. This would have the Digest of either the root key or an intermediate cert. example.com ESRV "pkix=29823dhd2w3298yf2==" Some sites might have multiple roots advertised for cases where they are switching providers: example.com ESRV "pkix=29823dhd2w3298yf2== pkix=2u2queihwiehiuhe==" And there could also be provision for advertising CERT records and so on. We can fill in those details later. Once the necessary record is allocated, a proposal is made to CABForum to require all member CAs to verify every cert against these DNS records before issue. I believe that there should be a very high degree of voluntary compliance since it is a check that can be automated. After a short interval the mechanism is made mandatory. The browser and platform providers have the necessary tools to achieve this. They can require the checks to be specified in the annual WebTrust audit which means that every cert would have to be in compliance within a year. Non compliant certificates would be detected as a matter of course by the various companies who have reason to crawl the Web and look at SSL certs. Note that my approach does not require client implementation to be effective, but allows for client implementation if this is considered desirable and is equally effective as a means of client side enforcement.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
