What Would It Take To Have Open CA Authorities?

trainman writes "With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue — the big, scary warning FF3 issues which is very unintuitive for non-technical users. It seems Firefox is pushing more websites in to the monopolistic arms of companies such as Verisign. For smaller, especially non-profit groups, which will never have issues with domain typo scammers, this adds an extra and difficult-to-swallow cost. Does a service such as this need the same level of scrutiny and cost since all that is being done is verifying domain and certificate match? This extra hand holding adds a tremendous cost and allows monopolistic companies such as Verisign to thrive. Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?"

CACert

try it....

Re:CACert

[zerOnIne]

Seconded. go here.

Re:CACert

[rufus+t+firefly]

It isn't *included*, but it's definitely *supported*. Just go here with Firefox to install their root cert.

Re:CACert

[mindstormpt]

Actually you can only get a certificate from CACert if you've been assured with enough points, and that's only supposed to happen after in-person ID verification by multiple members. The certificate includes the verified identity of the member, or the organization if that's the case.

You can debate if this web of trust model is acceptable, but it's been used by Thawte for some time now, and its certificate is included in every browser.

Re:CACert

[theodicey]

StartCom is free and already supported by Firefox.

Mozilla just wants CAs to offer some level of accountability and identity verification. Their CA certificate policy is explicit in its requirements.

I don't see the point in having Verisign certificates eveywhere, but I also don't see why you should blindly trust a Robot Certificate Authority like CACert, without further assurances.

Re:CACert

[darkfire5252]

Why do you need identification to transmit a PUBLIC key (aka SSL cert)? Note: The moderators in this discussion who nuked my other post, like the parent, seem to not understand the difference between public and private keys. Crypto is complicated, but those who don't understand it should not be moderating a crypt discussion!

Nor should they be posting in it. You do not understand the difference between a key and a certificate, nor do you understand the purpose of a certificate authority.

In public/private key cryptography, the public key ensures that one can have a secure conversation with the holder of the corresponding private key. It does not address the problem of verifying who the holder of that key is. So, if Alice and Bob desire a private conversation using asymmetric (public/private) key cryptography, the first step is for them to exchange public keys. However, during the exchange, Mallory intercepts Alice's public key and supplies Bob with Mallory's public key. Mallory can now read the messages between the two and no one is the wiser. Enter the Certificate Authority. The CA's job is to act as a foundation for trust. The CA's key is provided to Alice and Bob securely (i.e. when installing an OS or browser). Alice and Bob can then go to the CA, prove that they are Alice and Bob, and they receive a certificate. The certificate for Alice consists of Alice's public key cryptographically signed by the CA's private key. Bob can then take the CA's public key, which he received previously, and verify the signature on Alice's public key. Bob has then proven that the CA is stating that that public key does in fact belong to Alice.

So, if the CA isn't actually verifying that Alice is Alice or that Bob is Bob, then Mallory can get a certificate that states Mallory is Alice, and we're back to square one.

Re:CACert

[the_olo]

How does this compare to other authorities like Verisign? How frequently does Verisign revoke a certificate? If it's not very often, should they be revoking more than they do?

Well, let's have a look.

Verisign has a much more complex pki hierarchy, so there are much more different CRLs. I've visited my local bank's site and had a look at their cert's chain. There were 3 levels of Verisign CAs above their x.509 cert and two of them had CRL distribution points specified (the top one, Verisign Class 3 Public Primary Certification Authority, had none, but I think it didn't need one since it's highly unlikely that the lower ones like Verisign's Class 3 Public Primary Certification Authority G5 will ever be compromised. They still have a 3rd level below and their 2nd level private keys are probably used only in high security, do-everything-manually-inside a-vault-by-a-highly-trusted-personnel-group context, not for signing any customer's certificate requests).

So I downloaded both CRLs:

$ wget http://crl.verisign.com/pca3.crl
$ wget http://evsecure-crl.verisign.com/pca3-g5.crl

and then inspected them:

Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Last Update: Apr 29 00:00:00 2008 GMT
Next Update: Aug 14 23:59:59 2008 GMT
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
a4:ff:fd:d1:4c:b8:e9:70:d5:d3:90:8c:85:64:e4:8e:36:21:
e8:b0:54:1d:2f:31:ac:00:92:9e:c9:42:d7:0f:c4:86:21:a3:
8f:23:f3:8b:e5:2d:5f:48:bd:ab:29:29:39:80:d1:b0:85:59:
ad:84:2a:d5:e9:1e:b1:8a:d4:44:97:5c:44:15:a1:61:64:49:
83:1f:12:b9:08:63:6c:8c:4b:2d:31:61:45:ae:1f:9a:8c:32:
e9:3f:86:1b:15:02:0d:30:9c:ae:d9:53:0c:cc:d1:2c:ec:6a:
57:db:c3:60:67:a4:a6:42:a2:72:37:8d:48:68:84:cf:2c:67:
b2:8f:60:6c:f4:2c:e4:90:71:88:1b:87:31:e5:88:b4:eb:dd:
38:17:7f:9b:f9:02:52:e1:03:b3:3e:7b:9f:1b:8f:5a:81:24:
ba:6d:9f:77:c7:db:53:88:89:8e:f5:b2:ff:79:51:e9:8b:ea:
f2:e2:dd:1c:52:d6:1c:d8:24:2c:f6:ac:a4:11:43:1b:6b:c8:
55:1b:b1:f0:e7:38:a8:f7:41:67:26:be:5b:b4:9f:da:a6:f7:
d0:f5:64:f9:68:83:28:b5:b4:86:90:92:a4:8d:95:36:78:42:
53:92:5f:92:9d:6c:60:95:59:d1:bb:e0:fe:0d:02:a0:31:74:
6f:1a:7c:04

Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Last Update: Jun 5 00:00:00 2008 GMT
Next Update: Aug 16 23:59:59 2008 GMT
Revoked Certificates:
Serial Number: 01761E18E2BC615F3EDEDD32A5B9FD0E
Revocation Date: Sep 24 16:48:23 2002 GMT
Serial Number: 112C147CE97CF5EF8C3CB4E9E46A2099
Revocation Date: Jun 5 17:49:07 2008 GMT
Serial Number: 156079D71A719DDB94BBE7DE9F66681B
Revocation Date: Sep 23 17:14:00 2002 GMT
Serial Number: 1C3F41C5C0161761816E4660A350F0A0
Revocation Date: Sep 23 17:15:48 2002 GMT
Serial Number: 1ED2FBD389179A0C9FFD52A065BD3533
Revocation Date: Feb 7 21:24:58 2001 GMT
Serial Number: 219185AE83A9BB59E5B1B5495369EEE3
Revocation Date: Jul 6 17:14:11 2001 GMT
Serial Number: 242DE0F2497B72DD901816753CE95F2E
Revocation Date: Apr 3 17:22:26 2008 GMT
Serial Number: 26F29D223FB00479A7BA35317D851331
Revocation Date: Jul 6 17:21:18 2001 GMT
Serial Number: 341BA0A1D332DDF1FD107B578DC7F0B5
Revocation Date: Jun 5 17:50:30 2008 GMT
Serial Number: 42F5B783B86305DDB50303E5B7D01BCD
Revocation Date: Apr 11 17:59:10 2007 GMT
Serial Number: 48DC5079C688954ECE8AA7BD2A20E7A9
Revocation Date: Feb 7 21:20:31 2001 GMT
Serial Numb

Re:CACert

[jd]

All possible attacks against certificates are purely hypothetical at this time. These would include:

• A poor, seeded PRNG being used where the seed is somehow exposed or part of the key - such as a simple hashed value of the same information that is made public, where the PRNG algorithm can be determined and reproduced in some way
• Someone has figured out a solution to the factoring problem, breaking RSA
• The effective key length is so short that the private key can be brute-forced

There are also two attacks against infrastructure which can compromise a key:

• The machine generating the key pair has been compromised in advance, with private keys intercepted and copied elsewhere
• Any machine subsequently storing the private key has been compromised, allowing the private key to be stolen

Of all of these, the last one is the only one anyone needs to take seriously. Even then, there are plenty of ways of making directories and files very secure, and making sure that potential exploits like buffer overflows are blocked in advance. (Just use a malloc replacement that prevents them.) The other attacks are so improbable that you can ignore them.

This leave one other attack vector:

• Social Engineering

This, according to reports, was used to obtain Microsoft's private keys from Verisign. Most reputable cert vendors have established better practices now. Simply choose one that will only deliver keys to an authorized contact point and only after a call-back check or some other authentication scheme.

Monopoly?

[nonpareility]

The fact that there are "compan*ies* such as Verisign" means Verisign is not a monopoly. In Firefox, go to Tools, Options, Advanced, Encryption, View Certificates, Authorities. These are all valid CAs according to Firefox. As for being cheap, a quick check at GoDaddy's says you can get one from them for $30/year.

Re:A difficult and hard to swallow cost?

[cstdenis]

Don't buy from GoDaddy. There are better and cheaper alternatives.

$14.95 - http://www.rapidsslonline.com/rapidssl-certificates.php

And unlike godaddy that on is not a chained cert.

Secure DNS can help

[John.P.Jones]

Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?

How can anyone possibly establish that a given certificate is associated with a given domain without first proving that they do indeed have the (ownership) rights to establish said association?

What you are asking for can be accomplished via SecureDNS, you can enter the hash of the certificate in the DNS entry and Secure DNS ensures that only the authorized party can enter that association and verifies that it was not changed. SecureDNS facilitates a lot of these kinds of authentication issues by extending the rooted hierarchy of DNS names to securely dissiminate information, whether it be IP addresses of servers or public key commitments. See my paper "Layering Public Key Distribution Over Secure DNS using Authenticated Delegation" (ACSAC 2005).

StartSSL is free or cheap, as you prefer

[petard]

They offer certs with domain validation for free. There are gentle attempts to upsell you to higher levels of validation, but their domain validated certificates work without errors. Look here.

If you want certs that are validated to your business' identity (instead of just your domain) and don't indicate in the DN that they were free, there is a small charge.

Re:I've expirienced this myself.

[duffbeer703]

In your case, it's probably appropriate to ask your uses to add CACert or a self-signed certificate to their browsers. This isn't rocket science.

Re:Certification crap

[jd]

Let's start with a Man-in-the-Middle attack. Attacker finds an unpatched DNS and points www.somebank.com to their proxy that has SSL support. A user connects, thinking it is their bank. It looks like it, because it really is the bank's website that is being displayed, and the URL is correct. The user enters their account login information, because it's a secure site. The proxy, of course, decrypts the inbound user SSL traffic, stores username/password information, re-encrypts using the bank's SSL session and forwards to the bank. The bank never knows it's not the user - it's encrypted, after all, and it is all correct.

The idea of certificates is to authenticate the connection, make it impossible to someone in the middle to pretend to be the server to the client, and the client to the server. Actually, it would be better to require users to have certificates as well, in many cases, as passwords tend to be too trivial.

Now, the price of certificates is horrendous. The passport office provides a document as good, or better, than many certificates, but it doesn't cost many hundreds of dollars to obtain a passport. In fact, as digital certificates are essentially the same as a passport with electronic information, it might be better if the passport office issued digital certificates along with physical passports as a combined package. The added cost to them would be practically nil, and the certificates would have a much greater credibility level than those by most corporations, at least for personal certs.

Re:You've missed the point

[rufus+t+firefly]

It looks like someone has already started the process for Firefox, at least.

Re:Will Firefox do anything about it? No.

[StartCom]

That's pure nonsense. No CA ever paid a dime to the Mozilla Foundation or Mozilla Corporation (as opposed to the days of Netscape). Poke around http://groups.google.com/group/mozilla.dev.tech.crypto/topics to get a clue about how Mozilla handles inclusion of CAs.