Business conducted over the Internet has benefited hugely from web-based encryption. Retail sales, banking transactions, and secure enterprise applications have all flourished because of the end-to-end protection offered by encrypted Internet communications. An encrypted communication, however, is only as secure as the process used to authenticate the parties doing the communicating. The major Internet browsers all currently use the Certificate Authority Trust Model to verify the identity of websites on behalf of end-users. (The Model involves third parties known as certificate authorities or “CAs” issuing digital certificates to browswers and website operators that enable the end-user’s computer to cryptographically prove that the same CA that issued a certificate to the browser also issued a certificate to the website). The CA Trust Model has recently come under fire by the information security community because of technical and institutional defects. Steve Schultze and Ed Felten, in previous posts here, have outlined the Model’s shortcomings and examined potential fixes. The vulernabilities are a big deal because of the potential for man-in-the-middle wiretap exploits as well as imposter website scams.
One of the core problems with the CA Trust Model is that there are just too many CAs. Although organizations can configure their browser platforms to trust fewer CAs, the problem of how to isolate trustworthy (and untrustworthy) CAs remains. A good review of trustworthiness would start with examining the civil and criminal track record of CAs and their principals; identifying the geographic locations where CAs are resident; determining in which legal jurisdictions the CAs operate; determining which governmental actors may be able to coerce the CA to issue bogus certificates, behind-the-scenes, for the purpose of carrying out surveillance; analyzing the loss limitation and indemnity provisions found in each CA’s Certification Practice Statement or CPS; and nailing down which CAs engage in cross-certification. These are just a few considerations that need to be considered from the standpoint of an organization as an end-user. There is an entirely separate legal analysis that must be done from the standpoint of an organization as a website operator and purchaser of SSL certificates (which will be the subject of a future post).
The bottom line is that the tasks involved with evaluating CAs are not ones that IT departments, acting alone, have sufficient resources to perform. I recently posted on my law firm’s blog a short analysis regarding why it’s time for General Counsel to weigh in on the authentication practices associated with secure communications. The post resonated in the legal blogosphere and was featured in write-ups on Law.Com’s web-magazine “Corporate Counsel” and 3 Geeks and a Law Blog. The sentiment seems to be that this is an area ripe for remedial measures and that a collaborative approach is in order which leverages the resources and expertise of General Counsel. Could it be that the deployment of the CA Trust Model is about to get a long overdue shakeup?
Folks might find the Monkeysphere project relevant here: http://web.monkeysphere.info/
I think you should take your root-cause analysis a bit further. The core problem is not that there are too many CAs; that’s a symptom. The core problem is that no one has an incentive to make this secure.
As Matt Blaze once wrote, a CA can only protect you from entities they are unwilling to take money from. The structural implications of that fact lead us to where we are today.
I’m not certain whether end-to-end encryption has brought great benefits to securing e-commerce. I suspect that the greatest benefit has been the guarantee that credit card companies provide to consumers: if you don’t get your goods or are otherwise defrauded, just call up your credit card company, and they’ll reimburse you. That, I suspect, matters a lot more than the SSL encryption. Of course, it’s possible that the encryption provides a perception of security and makes customers more comfortable spending money, so it might actually help sales (even if it doesn’t make much difference to security); this is a classic distinction between perception and reality.
OpenPGP allows for multiple certifications per identity. If you only moderately trust a CA (and that’s the most you really can trust someone that you don’t know) then require more than one of them. The more parties who certify an identity, the harder it is to orchestrate a conspiracy to issue a fake cert for MitM purposes.