| The roads I take... | Weekly Status Report, W36-40/2011 >>

Weekly Status Report, W35/2011

Here's a short summary of SeaMonkey/Mozilla-related work I've done in week 35/2011 (August 28 - September 4, 2011):

The security discussions around the DigiNotar stuff took a lot of time to read this week, but they taught two lessons, I think: 1) The CA model has serious problems in its design as it needs us to trust that CAs do the right thing and are not broken into, and 2) as long as we need that CA model, any CA that wants to keep their business running needs to immediately and fully disclose to the major browser vendors (i.e. the keepers of the CA root stores) when something goes wrong - if they fail to do that, consequences quickly need to run toward their complete exclusion, like it was in this case.

Entry written by KaiRo and posted on September 6th, 2011 14:40 | Tags: L10n, Mozilla, SeaMonkey, Status | 5 comments | TrackBack




CA model flaw ?
The way you say this somewhat implies the flaw is more or less in some detail of the model.
But it's simply an unavoidable flaw of using a model with many CAs, each of which has equal capacities with the others.
It means the number of points of failure increases linearly with the number of CAs.

But it's easier said "we need to fix that" than done.
If you limit the number of CAs, you're limiting the competition and creating some kind of oligopole between the few that you still allow.
Or you need to say this model of commercial CAs is too fragile and create some kind of administrative solution ? But actually here it's a governmental CA that failed, not a commercial one.
Maybe you can limit the extend of a failure by not making all CAs equal anymore, by saying some may only issue certificates with some restrictions ? Well in this case, it doesn't change things so much, nl users still need the update urgently.
So really easier said than done.
2011-09-07 05:56



I agree that it's easier said than done, and I don't have a solution. You're also right that it's in inherent flaw in the design of the whole model. And of course, we need to work with that model for the foreseeable future, but I'd be happy if someone would find a better model that doesn't have this problem.
2011-09-07 12:42

Tony Mechelynck

from Brussels, Belgium

The limits of the Bazaar model
The problem is difficult, and one of the reasons it's difficult — the main reason, I'd venture — is that it inherently runs contrary to the Bazaar model, whose success is based on the principle, «the more eyes, the fewer bugs».

Now of course, there are things that you legitimately cannot do in the open of the marketplace, as what you say to your doctor, to your lawyer, or the password to your bank account. Similarly, the private key to any certificate must be held secret, for exactly the same reason that you do not distribute to any comer duplicates of the key to your bank vault. Certificate Authorities are there to give the process a semblance of respectability by having a trusted "authority" check that when you request an ID (a certificate) under a certain name, you are "who you say you are".

The problem with a company who professionally deals in secrecy is the tendency to try to keep everything secret, and sweep any failures under the rug in the hope that they won't be noticed. Of course, when they are noticed, the result is a catastrophic loss of trust which may even go, as looks quite likely in DigiNotar's case, as far as a total loss of business with the associated bankruptcy.

There is a need to separate what must be kept secret (the individual certificates) and what must never be kept secret (the procedures followed to ensure that certificates are delivered to the right people). This means that the certificate authorities have to be under constant watch, so that any break-in or any illegitimately delivered certificate shall be detected. But this brings us to the well-known Quis custodiet ipsos custodies? (Who shall watch the very watchmen?), as the Romans said.

The fact that the most valued certificates are only delivered at a high price by a relatively few authorities regarded as top-notch, may in itself constitute a risk of, as was mentioned above, an oligopolistic concentration of power into too few hands, with the concomitant risk that the auditors, being, as they conceivably could be, "players in the same elite game", fail to notice, when they happen, the very dubious actions, foul plays, and underhand fast-and-loose goings-on that they are there to prevent in the first place.

I don't have a solution, I'm not even sure that the problem admits any solution. But I would be happy if one could be found.
2011-09-09 00:38

Louis E.

No news here?
Why has this blog fallen silent?
2011-10-11 08:09



I didn't come around to blogging, but there's another status update coming that sums up the silent time...
2011-10-12 23:53

Add comment