On 14/09/2011, at 9:19, Kathleen Wilson <
kathle...@yahoo.com> wrote:
> Would anyone be willing to post their recommendations about which high-profile domain names should be checked?
>
> Should I start a wiki page containing a list of high-profile domain names that should be included in the automatic checks?
Some ramblings. I guess we're all agreed that there is a thing such as
a high profile site. But maybe we haven't agreed what that means.
David says it is any site where he banks. I'm inclined to agree, I
care not for BankOfAmerica, but I do care about the community bank I
use. Which means from an individual perspective, high profile means "I
use that site." Which simply won't be tractable at a CA or meta-CA
level. At its theoretical purest, this is yet another call to give
the client/user the ability to mark and manage own certificates in a
more flexible way. WebTrust, Petnames, etc. I wonder how long these
calls for user-led pinning can go on for?
That's one focus. Another focus is the CA. Each CA can simply select
their own list. According to whatever mechanism they come up with.
Now, technically this is good because it introduces more competition
in security, thus leading to innovation; and also allows the CA to
more closely align its security to its subscriber base. But this is
completely misaligned to the real security risk analysis here: A
Chinese issuer of certs is uninterested in protecting BankOfAmerica,
but BankOfAmerica is rather interested in stopping the Chinese issuer
ship a cert.
So we all lack interest in this concept. For CAs, not only in
choosing the list, but in doing the work. For the rest of us, it
doesn't actually help us because of the reversed interest.
Which means the list has to come from outside the CA, in some sense or other.
Maybe the meta-CA level. Something in principle like Mozilla,
CABForum, the EU's working group on QC, ICANN, the UN (extremely
hypothetical here).
Leaving aside the manager, again we face problems of who should be on
the list. Sure, Mozilla will likely add BankOfAmerica, but who here
knows the name of 100 biggest banks in China? Didn't think so... and
thus we're left with a "meta-CA cannot decide" problem. Which means
someone has to tell the meta-CA to add our favourite victim.
There are something like order of 10,000 banks in the world. If they
all decide they want "ON" and ask for it, can we cope with that? How
does a bank in Uganda ask? Does the meta-CA have to then essentially
verify & validate the requestor? Isn't that taking over the CA's
job?! We seem to be making a habit of that...
So that takes us back to the CA. It knows the customer. The customer
has to ask the CA, as part of its verification process. "Make me
high-profile." Which leads to ... an additional charge (of course)
and the CA then going to the meta-CA and adding the name to the
no-copy list.
Or, if you didn't want the CA to ask an additional charge, why not
couple it to EV? Any site that has an EV certificate has already
self-selected itself on first order discrimination (the green t-shirt,
not the blue one). So bundle it in, each CA then submits the name(s)
directly into the list. This would also solve the banks-versus-google
dilemma.
Another aspect to think about is liability. If a false cert gets
issued by MalloryCA for BankOfAmerica, where AliceCA already had that
subscriber, what's the liability? Does BoA sue AliceCA or MalloryCA?
Or both? Does it make a difference if BoA is on the high-profile list
or not? Is the high profile list worth a hill of beans in court?
Indeed, one of the issues with the high-profile list is that it lays
bare the deception in court -- a CA can certify the name, but it
doesn't have any ability to stop anyone else certifying the name as
well. So, MalloryCA can say it BankOfAmerica belongs to phishers this
week, for the lolz. So, in selling "protection", a CA relies on
nothing going wrong. The high-profile list becomes evidence that the
"protection racket" is just a hope & dreams scam. It's a vanity
magazine, not a protection racket! Without some agreement that
MalloryCA is going to be cough up damages, AliceCA is in a sticky
position in court, because she can't actually establish what she did
to protect her subscriber.
At this point, the lawyers might be saying "hey, you probably want to
make it compulsory for all green certs," so as to solve the decision
dilemma. Given a few calculations on the nature of the ratio of EV
cost to predictable downsides, and a few discussions of the claimed
beauty properties of wearing the green t-shirt (bullets slide off, the
must-have accessory to enhance your individuality and charisma,
doppelgangers need not apply). And, etc etc. The problem with this
idea is how to get that idea across to whoever wields the green pen at
CABForum; the more sales-savvy CAs will remember that rule #1 of
sales is "keep your customer list a secret :P" and that's just the
beginning.
In sum.
Mozilla might not be the right place for this. CABForum seems more
appropriate, but they are more a follower than a leader; it might
take the vendors to decide, and others to implement.
EV might be the right tool, as all the heavy up-front decisions are
already made.
The after-event decisions however still are cop-outs, and the
no-doppelgangers list lays that bare: Establish the liability
position for players, and have a very good idea what it means to be ON
as well as OFF. Be prepared to have that discussion in court. And,
consider how to bring MalloryCA to account ...
iang
Some random other questions, without apparent thought or answer or
impact on the above:
* Is there a potential attack in BobCA asking to add BoA before AliceCA?
* Can I or a crowd copy of me place BoA on the list? Perspectives?
Convergence?
* Can my client download the list and use it in an innovative fashion?
* How do we get a name off?
* Does it become like the USA's famous no-fly list? Some Star
Chamber process where any disgruntled federale can put the neighbour
on the list for looking askance at the spouse? And you never get
off...
* Does the existance of the list as probably managed in USA mean that
Cuban and Iranian banks can't get on? Or is this managed by a UN
committee? Or is it managed out of China, so the banks in Taiwan
aren't protected?