Does your Certifying Authority have a clue who you are? Do they care?

So, an interesting thing happened to me yesterday.

  I run OpenBSD's https.openbsd.org site. Of course, we have an
SSL Site certificate for this site. When we first started the site,
(about 6 years ago) we got a site certificate from Thawte. Back in
these days they were based in South Africa, and had a Canadian Legal
firm to verify who we were. So of course, Theo had to fax them some
stuff, as did I. etc. etc. The whole process was rather painful,
particularly since "OpenBSD" isn't a company, so we couldn't exactly
send incorporation documents and the like. Nevertheless, supposedly
this is to provide some sort of protection for people - that "OpenBSD"
really is who it claims to be.

  So, time comes to renew the certificate again, and give Thawte
their bi-yearly sum to keep our server cert alive. Every other year,
the renewal process has been automatic, They already have our
documentation on file so presumably they can and do check this. This year,
they know nothing, They have been bought by verisign and they want new
documentation. The conversation went something like this:

<"What happened to our previously sent documentation?"

"It's in a warehouse in Canada, because we changed how we do things"

<"Why can't you get it from there - We're a multinational volunteer organization, coming up with any sort of stuff like this is a pain"

"Well, we can't".

<"So you've lost it?"

"No, we know where it is, it's in the Warehouse"

<"Well, you can't get it because you don't know where it is in the Warehouse"

"Yes, so what can you send us?"

<"Are you going to get the documents from Canada?"

"Yes, but we're not sure when or how?"
  
  So the long and the short of it is, our CA has *LOST* the
documents showing who we are, and wants new ones. Had someone
previously filed fraudulent documents to obtain an ssl certificate,
they wouldn't have copies of those. So, the real question is, what
good does it do to send supporting documentation to these services, if
all they do is lose them? Is this really providing anyone with any
security, or is this really just a thinly veiled revenue generation
procedure. If they can't even produce the documentation used to
support a certificate they've issued, then why the heck ask for, and
charge money for this in the first place? Of course my certificate is
good for X years, not to protect me from my cert being exposed, but
just to get more money after X years. Certificate revocation? Who
actually uses that, for real, in a manner that any widespread public
apps (i.e. web browsers) will pay attention to?

  Needless to say, any real confidence I (used to) have in
Thawte (back when it made Mark Shuttleworth enough money to buy a ride
on the space station) is really no more. (And no, I never really did
have any confidence in https, because of the human engineering issues)
Anyway, we got a new cert from a provider that only cares about domain
ownership, which works fine. The real question is, between the fact
that the web browsers makes it so easy for knuckle dragging apes to
accept any certificate out there anyway, and if the CA's aren't doing
anything to speak of with the "Supporting Documentation", Who are we
kidding that there's any real point (security wise) to this exercise?
Time for a new protocol that just stores the public key the first time
like SSH, and the user maintains their own list? Really, is that any
less secure than this ongoing nonsense from a practical perspective?
(Other than there's no way for CA's to make money off of it?)

       -Bob

While the ssl certificate is meant to verify the owners identity, as a
consumer I would never trust a ssl certificate for that purpose. It does
provide a reasonable effort to keep information between me and the server
confidential. That's worth something, I guess.

Adi

So what does the PKI actually buy you that using a throwaway self-signed cert
doesn't provide?

There is an expectation that URLs which do not produce "this certificate is not trusted" messages are safe for people to use to disclose sensitive information like credit card numbers. The average consumer has been educated to this effect at great length by commerce-oriented websites and browser vendors.

It doesn't matter whether the expectation is reasonable; what matters is that the expectation exists.

If there's a risk that people will be afraid to type credit card details into a merchant's web page, and that risk can be reduced by spending some relatively small number of dollars with a CA, then merchants will spend the dollars, and the myth is perpetuated.

You could try and re-educate the market, but since there's no money in teaching people not to trust CAs, it's difficult to see who would do the re-education.

Joe

So what does the PKI actually buy you that using a throwaway self-signed cert
doesn't provide?

No popup box on the browser asking to accept the certificate.

Adi

Valdis.Kletnieks@vt.edu writes on 12/5/2003 11:01 AM:

So what does the PKI actually buy you that using a throwaway self-signed cert
doesn't provide?

Less headaches handling hundreds of support tickets that basically say "browser displayed an alert about the cert being self signed", with or without 2 MB bitmap screenshots of the same?

  srs

"Pay us $1,000 or we'll annoy your users with popups".

Sounds suspiciously like the extortion angle used recently against somebody who
was using Windows Messenger pop-op spam to advertise their "stop pop-up spam"
product.

I'm however missing the actual security angle (remember that the lack of a
warning doesn't mean you actually connected securely with who you thought you
did).

The CA does not popup a warning. It is the browser or client application that does this.

The three ways to disable the popup:

1) Have the user accept a CA cert for your site. Help Desk Nightmare.
2) Have the user disable the popup. Help Desk Nightmare.
3) Get the top-level-CA cartel to accept your CA cert in the list of ones
bundled into IE.

Yes, it's a cartel, and yes, actions taken by said cartel are at least partially
responsible for the pop-up happening.

Valdis.Kletnieks@vt.edu writes on 12/5/2003 1:28 PM:

The three ways to disable the popup:

1) Have the user accept a CA cert for your site. Help Desk Nightmare.
2) Have the user disable the popup. Help Desk Nightmare.
3) Get the top-level-CA cartel to accept your CA cert in the list of ones
bundled into IE.

4. For ISPs looking to run SSL sites for their own users - distribute copies of IE and Mozilla / Netscape that have your cert embedded in already.

Yes, it's a cartel, and yes, actions taken by said cartel are at least partially
responsible for the pop-up happening.

Is there a documented process for a new CA to get their certs approved/added or is it a clandestine process?

Thanks,

Deepak Jain
AiNET

Deepak Jain wrote:

Is there a documented process for a new CA to get their certs
approved/added or is it a clandestine process?

"You are in a twisty little maze of corporate back scratching, all
political."

Peter

Thus spake Deepak Jain (deepak@ai.net) [05/12/03 15:22]:

Is there a documented process for a new CA to get their certs
approved/added or is it a clandestine process?

AFAIK, clandestine. cacert.org has been trying to get their CA included
in Mozilla for some time now, but hasn't been able to. It really depends
on which browser you're trying to get included in to.

  - Damian