Re: *.google.com certificate issued by DigiNotar

114 views
Skip to first unread message

=JeffH

unread,
Aug 31, 2011, 12:56:26 AM8/31/11
to mozilla-dev-s...@lists.mozilla.org
[ I've removed the "and used by Iran government?" from the Subject: because
there isn't any hard evidence that the key-pair/cert are/were actually being
used by the Iranian government. ]

Ian G <ia...@iang.org> wrote in part..
>
> (I recall hearing that the Firefox
> software developers are already working on a more direct way to revoke a
> root, and other browsers seem to already have that control.)

In Chrome, it apparently is the two blacklists in the code here..

http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.cc

One being made up of server leaf certificates in
X509Certificate::IsBlacklisted(), the other CA root and intermediate certs in
X509Certificate::IsPublicKeyBlacklisted().

=JeffH

Peter Gutmann

unread,
Aug 31, 2011, 1:16:08 AM8/31/11
to Jeff....@kingsmountain.com, mozilla-dev-s...@lists.mozilla.org
=JeffH <Jeff....@KingsMountain.com> writes:

>In Chrome, it apparently is the two blacklists in the code here..

Yeah, I'd seen that one too. Some thoughts:

- There were *hundreds* of (known) bad certs issued, including quite probably
ones that we don't know about yet (see Diginotar's admission that it missed
fraudulent certs until they were discovered by members of the public).

- As with Comodogate, it's amusing to see that the browser vendors still don't
trust their own PKI-based revocation mechanisms, and fall back to the usual
admission-of-failure approach of pushing out an updated binary with known-bad
certs hardcoded into it that's been going on for at least the last ten years
(since the Verisign "Microsoft" certs in 2001).

Peter.

Ian G

unread,
Aug 31, 2011, 1:23:08 PM8/31/11
to Peter Gutmann, mozilla-dev-s...@lists.mozilla.org, Jeff....@kingsmountain.com
On 31/08/11 3:16 PM, Peter Gutmann wrote:
> =JeffH<Jeff....@KingsMountain.com> writes:
>> [ ... there isn't any hard evidence that the key-pair/cert are/were actually being used by the Iranian government. ]

No hard evidence needed, it's an APT :)

>> In Chrome, it apparently is the two blacklists in the code here..
>
> Yeah, I'd seen that one too. Some thoughts:
>
> - There were *hundreds* of (known) bad certs issued, including quite probably
> ones that we don't know about yet (see Diginotar's admission that it missed
> fraudulent certs until they were discovered by members of the public).

Yeah well. The good thing about stuff we don't know is that it's easier
to believe it didn't happen ;)

> - As with Comodogate, it's amusing to see that the browser vendors still don't
> trust their own PKI-based revocation mechanisms,

Right. Some bright spark had it a while ago, revocation only works when
you don't need it.

> and fall back to the usual
> admission-of-failure approach of pushing out an updated binary with known-bad
> certs hardcoded into it that's been going on for at least the last ten years
> (since the Verisign "Microsoft" certs in 2001).


My earlier comments were more inspired by the fact that we now appear to
need revocation. Have we crossed that line?

This one looks aggressive, coz someone was using it to MITM someone.
That is after all the point of SSL, right? To stop the MITM ...

So we have a targeted CA-hacked cert, in the wild, used to actually do
an MITM of the target.

17 years later, we're out of demo territory, academic waffleland, trust
& lies, marketing science, phishing near-misses, known unknowns and
unknown knowns...

Now it gets serious.

For this reason, we should all expect that Mozilla & other vendors will
be developing their dynamic revocation features into Firefox family,
poste haste.

Does anyone think this is a bad idea?

iang

Varga Viktor

unread,
Sep 1, 2011, 5:49:16 AM9/1/11
to Ian G, Peter Gutmann, mozilla-dev-s...@lists.mozilla.org, Jeff....@kingsmountain.com
I saw the new update (6.0.1), and nice to see, that the root was dropped.

Will the Comodo is dropped also? :)


Üdvözlettel/Regards,

Varga Viktor
Üzemeltetési és Vevőszolgálati Vezető
IT Service and Customer Service Executive
Netlock Kft.

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
> _______________________________________________________________________
> Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail
> MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
>
> This email has been scanned for viruses and SPAM by the filter:mail
> MessageLabs System. More information: http://www.filtermax.hu
> _______________________________________________________________________
> _

_______________________________________________________________________
Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu

This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________

Ian G

unread,
Sep 1, 2011, 12:44:18 PM9/1/11
to Varga Viktor, mozilla-dev-s...@lists.mozilla.org, Jeff....@kingsmountain.com, Peter Gutmann
On 1/09/11 7:49 PM, Varga Viktor wrote:
> I saw the new update (6.0.1), and nice to see, that the root was dropped.
>
> Will the Comodo is dropped also? :)

This is a question [0] isn't it :)

We've got ComodoGate, StartGate, now NotarGate ...

http://www.informationweek.com/news/security/attacks/231600615
http://www.networkworld.com/news/2011/083111-hackers-may-have-stolen-over-250324.html

This is bigger than any CA. Call it TrustGate?

IMHO, we've now crossed the rubicon. That special moment in the
lifecycle of a security system when it is challenged on its own turf
[1], and found wanting, evidence presented, shocking report at 7...

What we'll likely see now is a series of breaches at multiple levels to
acquire and misuse certs. We've seen compromises in the past, but what
makes this new is that we have evidence of an aggressive attack using
the cert.

Now we can count damages. And start to do real security calculations to
show if certs are worth any real money.


iang

[0] One of our questions is what is the procedure for this, on what
basis was the decision made? This process will need to be documented.
But for now, it is better to let people get on and deal with the short
term need of revoking the root.

[1] as opposed to bypassed or downgrade attacks like phishing.

Eddy Nigg

unread,
Sep 1, 2011, 12:54:23 PM9/1/11
to mozilla-dev-s...@lists.mozilla.org
On 09/01/2011 07:44 PM, From Ian G:

> We've got ComodoGate, StartGate, now NotarGate ...

I beg to differ - there was no StartGate. An attack and breach doesn't
makes it a successful one.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Ian G

unread,
Sep 1, 2011, 2:46:26 PM9/1/11
to mozilla-dev-s...@lists.mozilla.org
On 2/09/11 2:54 AM, Eddy Nigg wrote:
> On 09/01/2011 07:44 PM, From Ian G:
>> We've got ComodoGate, StartGate, now NotarGate ...
>
> I beg to differ - there was no StartGate. An attack and breach doesn't
> makes it a successful one.

Last I heard was, the cone of silence was still lowered over that one.

Begs & differs, salacious rumours, media speculation, advertising and
all that stuff.... Until we see full disclosure, I'd guess that's how
it is.

Anyone see it different?

iang

Eddy Nigg

unread,
Sep 1, 2011, 3:22:18 PM9/1/11
to mozilla-dev-s...@lists.mozilla.org
On 09/01/2011 09:46 PM, From Ian G:

> Last I heard was, the cone of silence was still lowered over that one.

Not quite correct - it was clearly stated that no relying party was
affected. I think that makes it pretty clear, don't you think?

> Begs & differs, salacious rumours, media speculation, advertising and
> all that stuff.... Until we see full disclosure, I'd guess that's how
> it is.

You got already all the information you need to know. When there is
something to report, trust me you will know about it.

Eddy Nigg

unread,
Sep 1, 2011, 7:34:05 PM9/1/11
to mozilla-dev-s...@lists.mozilla.org
On 09/01/2011 10:22 PM, From Eddy Nigg:

> You got already all the information you need to know. When there is
> something to report, trust me you will know about it.

But actually let me help here a little bit, perhaps even shaping some
policies along the way....

Do you think it reasonable that CAs inform Mozilla in case certificates
have been mistakenly issued for a high profile brand (and perhaps also
banks and other financial institutions) and for whatever reasons? I'm
think something along the lines of Alexa top 500 or so.

Do you think it's reasonable that CAs inform Mozilla in case keys of
certificates for high profile brands have been compromised?

Do you think it's reasonable that CAs inform Mozilla in case
certificates have been mistakenly issued for low profile brands and
"meaningless" sites. Or do you think for such cases the current
revocation mechanisms are sufficient? Perhaps, do you think there might
be limit for such mistaken issuance even for low-profile sites?

Do you think it's reasonable that CAs must have controls in place to
detect and prevent wrongful issuance of certificates for whatever reasons?

Do you think it's reasonable that CAs must have controls and procedures
in place for swift and proactive action in case attempts to obtain
certificates in fraudulent way are made? And do you think it's
reasonable that CAs report such attempts to Mozilla?

I'd be glad for some answers if you may, I'll continue from there.

David E. Ross

unread,
Sep 1, 2011, 9:00:12 PM9/1/11
to mozilla-dev-s...@lists.mozilla.org
On 9/1/11 4:34 PM, Eddy Nigg wrote [in part]:

> On 09/01/2011 10:22 PM, From Eddy Nigg:
>> You got already all the information you need to know. When there is
>> something to report, trust me you will know about it.
>
> But actually let me help here a little bit, perhaps even shaping some
> policies along the way....
>
[snipped]

>
> Do you think it's reasonable that CAs inform Mozilla in case
> certificates have been mistakenly issued for low profile brands and
> "meaningless" sites. Or do you think for such cases the current
> revocation mechanisms are sufficient? Perhaps, do you think there might
> be limit for such mistaken issuance even for low-profile sites?

[snipped]

How do you define low-profile?

In the U.S., Bank of America and Wells Fargo are obviously high-profile.
But California United Bank has only 8 branches, all located in three
southern California Counties.

Western Federal Credit Union is one of the largest in the U.S. with 15
or more branches in 8 states and the District of Columbia and thus might
be high-profile. What about Premier America Credit Union, which has 7
branches in two California counties and 2 branches in Texas?

Any financial institution, no matter how small and obscure, is
high-profile to its customers. The same is true of any merchant, not
merely Amazon.

--

David E. Ross
<http://www.rossde.com/>

On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.

Eddy Nigg

unread,
Sep 1, 2011, 10:20:18 PM9/1/11
to mozilla-dev-s...@lists.mozilla.org
On 09/02/2011 04:00 AM, From David E. Ross:

>
> How do you define low-profile?

How would you define it?

> In the U.S., Bank of America and Wells Fargo are obviously high-profile.
> But California United Bank has only 8 branches, all located in three
> southern California Counties.

Taking my initial question on high-profile brands and sites, I also
suggested banks and financial institutions. So low-profile wouldn't
apply to them in my opinion.

But you can certainly set your own criteria at the moment....

Kyle Hamilton

unread,
Sep 1, 2011, 11:36:05 PM9/1/11
to MozPol
On Thu, Sep 1, 2011 at 4:34 PM, Eddy Nigg <eddy...@startcom.org> wrote:
> Do you think it reasonable that CAs inform Mozilla in case certificates have

> been mistakenly issued for a high profile brand (and perhaps also banks and
> other financial institutions) and for whatever reasons? I'm think something
> along the lines of Alexa top 500 or so.

Yes.

> Do you think it's reasonable that CAs inform Mozilla in case keys of
> certificates for high profile brands have been compromised?

I think it's reasonable for sites themselves to notify the browser, independent of what the CA does. But, I believe that the CA should notify Mozilla, preferably in an automated fashion.

> Do you think it's reasonable that CAs inform Mozilla in case certificates
> have been mistakenly issued for low profile brands and "meaningless" sites.
> Or do you think for such cases the current revocation mechanisms are
> sufficient? Perhaps, do you think there might be limit for such mistaken
> issuance even for low-profile sites?

Yes. We should all be equal before the law here, and the reaction should be standard, equal, and fair. Mozilla/Google should (as part of their safe browsing services) also provide OCSP or some other certificate revocation mechanism. They're already being used in ways that infringe on users' privacy, so for the users who choose to use those services there's no additional disclosure.

> Do you think it's reasonable that CAs must have controls in place to detect
> and prevent wrongful issuance of certificates for whatever reasons?

Yes.

> Do you think it's reasonable that CAs must have controls and procedures in
> place for swift and proactive action in case attempts to obtain certificates
> in fraudulent way are made? And do you think it's reasonable that CAs report
> such attempts to Mozilla?

Yes, and yes. But.

I don't believe that any benefit derives from mandating that CAs do something necessarily proactive, unless there are adequate controls in Mozilla and its certificate revocation infrastructure to be able to deal with the results of failing to meet that mandate as a standard, regular occurrence.

In other words, I don't trust most of the CAs out there to keep themselves secure. I trust them to believe that they're secure, but not to proactively learn about new threats or even to have competent risk managers.

We need to figure out how to recover from CA control failure safely and routinely.

-Kyle H

Peter Gutmann

unread,
Sep 1, 2011, 11:39:36 PM9/1/11
to eddy...@startcom.org, mozilla-dev-s...@lists.mozilla.org
Eddy Nigg <eddy...@startcom.org> writes:
>On 09/01/2011 07:44 PM, From Ian G:
>> We've got ComodoGate, StartGate, now NotarGate ...
>I beg to differ - there was no StartGate. An attack and breach doesn't makes
>it a successful one.

Since we still have absolutely no idea what happened at StartSSL apart from
whatever it was being sufficient to shut down a major CA for some weeks, I
think it's justifiable to call this StartGate. If it hadn't been for the
public discovery of malicious certs, DiginotarGate (dammit, CA's should be
required to pick names that work better with -gate) wouldn't even have been
noticed, making it even less of a -gate than StartGate. And who knows how
many other breaches there have been that the CAs have successfully hushed up.

(Both ComodoGate and DiginotarGate were valuable in this respect, ComodoGate
for showing that browser vendors are willing to collude with CAs to cover up
breaches, and DiginotarGate for showing that CAs are willing to hush up
breaches more or less indefinitely until forced to disclose by external events
outside their control).

Peter.

Peter Gutmann

unread,
Sep 2, 2011, 12:19:32 AM9/2/11
to ia...@iang.org, Varga....@netlock.hu, mozilla-dev-s...@lists.mozilla.org, crypto...@randombit.net, Jeff....@kingsmountain.com, pgu...@cs.auckland.ac.nz
[NB: CC'd to the randombit cryptography list, since this is an interesting
point for discussion].

Ian G <ia...@iang.org> writes:

>What we'll likely see now is a series of breaches at multiple levels to
>acquire and misuse certs. We've seen compromises in the past, but what makes
>this new is that we have evidence of an aggressive attack using the cert.

I wonder if we're going to see something like the four-minute-mile phenomenon,
until Roger Bannister did it, it was thought to be impossible, but once he'd
proven it was possible an avalanche of others followed his lead. So now that
we've had repeated public cases showing you can own a CA, will others follow?

(Two possible counterarguments: (1) For all we know this has been going on
forever, but noone's ever noticed since the CAs, in some cases in collusion
with the browser vendors, have kept quiet and hoped no-one would notice, and
(2) Since the value provided by browser PKI is near zero, there's no point to
owning a CA for commercial attackers, so few will bother apart from hackers
showing off).

Peter.

Peter Gutmann

unread,
Sep 2, 2011, 12:22:18 AM9/2/11
to eddy...@startcom.org, mozilla-dev-s...@lists.mozilla.org
Eddy Nigg <eddy...@startcom.org> writes:
>On 09/01/2011 09:46 PM, From Ian G:
>> Last I heard was, the cone of silence was still lowered over that one.
>Not quite correct - it was clearly stated that no relying party was affected.

Diginotar were also quite clear that no relying party was affected. Until one
was.

>You got already all the information you need to know.

... and given the situation with Comodo and Diginotar, to be safe we have to
assume the worst based on this lack of information.

Peter.

Eddy Nigg

unread,
Sep 2, 2011, 3:55:03 AM9/2/11
to mozilla-dev-s...@lists.mozilla.org
On 09/02/2011 06:36 AM, From Kyle Hamilton:

> On Thu, Sep 1, 2011 at 4:34 PM, Eddy Nigg <eddy...@startcom.org> wrote:

Thanks Kyle for participating in my little survey. I'll wait for the
answers from Ian for full comment...

Peter Gutmann

unread,
Sep 2, 2011, 10:50:58 AM9/2/11
to ia...@iang.org, pgu...@cs.auckland.ac.nz, Varga....@netlock.hu, mozilla-dev-s...@lists.mozilla.org, Jeff....@kingsmountain.com
Varga Viktor <Varga....@netlock.hu> writes:

>I saw the new update (6.0.1), and nice to see, that the root was dropped.
>
>Will the Comodo is dropped also? :)

Nope, they're Too Big To Fail, and like other equivalent CAs can do whatever
they want without repercussions. The affected Diginotar CA OTOH had only
issued about 700 certs in total, and there were at least 200-250 fraudulent
ones (and possibly many more yet to be discovered), so they were small enough
to fail.

As Lucky Green pointed out in a posting on another list, we now at least have
a lower bound for how small a CA has to be to be pulled by browser vendors (or
possibly how big a catastrophe it has to be involved in, since a quarter or
more of all its certs are fraudulent).

Peter.

Eddy Nigg

unread,
Sep 2, 2011, 11:36:47 AM9/2/11
to mozilla-dev-s...@lists.mozilla.org
On 09/02/2011 05:50 PM, From Peter Gutmann:

> Nope, they're Too Big To Fail, and like other equivalent CAs can do
> whatever they want without repercussions.

I think that's too easy - Comodo was proactive in detection and
disclosure of the mistakenly issued certificates. I think there is a
huge difference also in the extend of the incident. Plus they have a bit
market share which is certainly a valid argument too.

But look what's going in over in the Netherlands, the impact there
could be much bigger than just server certificates.

Ian G

unread,
Sep 2, 2011, 11:44:13 AM9/2/11
to mozilla-dev-s...@lists.mozilla.org
On 2/09/11 5:22 AM, Eddy Nigg wrote:
> On 09/01/2011 09:46 PM, From Ian G:
>> Last I heard was, the cone of silence was still lowered over that one.
>
> Not quite correct - it was clearly stated that no relying party was
> affected. I think that makes it pretty clear, don't you think?


Er, no? Clear as mud, to me: there is no consistent definition of
"relying party" [0] so what escaped out of the cone of silence sounded
to me like "mumble, mumble, rhubarb, mumble."

Was Mozilla informed? Because, they are a relying party? Other CAs?

What Peter said, with added salt & liability?

>> Begs & differs, salacious rumours, media speculation, advertising and
>> all that stuff.... Until we see full disclosure, I'd guess that's how
>> it is.
>

> You got already all the information you need to know. When there is
> something to report, trust me you will know about it.


Other than the fact that a CA saying "trust me" is sooooo 1990s ... if
you're serious about that -- we should trust the CA in compromise? -- I
think you owe at least Comodo the mother of all apologies for all the
abuse loaded on them over the years?

iang

[0] depending on your religion, "relying party" means one of:

everyone who uses a browser,
one tiny buried list of contract parties (see Steve's comments), or
Mozilla.

As I say, it's a religious thing.

Eddy Nigg

unread,
Sep 2, 2011, 11:50:08 AM9/2/11
to mozilla-dev-s...@lists.mozilla.org
On 09/02/2011 06:44 PM, From Ian G:

> Was Mozilla informed? Because, they are a relying party? Other CAs?
>

If you would bother answer my questions from the little survey I can
help you a bit further.

Eddy Nigg

unread,
Sep 2, 2011, 11:53:32 AM9/2/11
to mozilla-dev-s...@lists.mozilla.org
On 09/02/2011 06:44 PM, From Ian G:

> Other than the fact that a CA saying "trust me" is sooooo 1990s ... if
> you're serious about that -- we should trust the CA in compromise?

What do you know?

> -- I think you owe at least Comodo the mother of all apologies for all
> the abuse loaded on them over the years?

Abuse? I was the one warning them amongst others. But you can ask them
if they feel I should do that - I believe not.

Eddy Nigg

unread,
Sep 2, 2011, 12:43:10 PM9/2/11
to mozilla-dev-s...@lists.mozilla.org
On 09/02/2011 10:55 AM, From Eddy Nigg:

> On 09/02/2011 06:36 AM, From Kyle Hamilton:
>> On Thu, Sep 1, 2011 at 4:34 PM, Eddy Nigg <eddy...@startcom.org>
>> wrote:
>
> Thanks Kyle for participating in my little survey. I'll wait for the
> answers from Ian for full comment...
>

Ian, I'm keen to get your honest answers to my questions...here they are
again (updated with David's suggestion):


Do you think it reasonable that CAs inform Mozilla in case certificates
have been mistakenly issued for a high profile brand (and perhaps also
banks and other financial institutions) and for whatever reasons? I'm
think something along the lines of Alexa top 500 or so.

Do you think it's reasonable that CAs inform Mozilla in case keys of

certificates for high profile brands have been compromised?

Do you think it's reasonable that CAs inform Mozilla in case

certificates have been mistakenly issued for low profile brands and

"meaningless" sites (which excludes financial institutions). Or do you

think for such cases the current revocation mechanisms are sufficient?

Perhaps, do you think there might be a limit for such mistaken issuance
even for low-profile sites?

Do you think it's reasonable that CAs must have controls in place to

detect and prevent wrongful issuance of certificates for whatever reasons?

Do you think it's reasonable that CAs must have controls and procedures

in place for swift and proactive action in case attempts to obtain
certificates in fraudulent way are made? And do you think it's
reasonable that CAs report such attempts to Mozilla?

--

Ian G

unread,
Sep 2, 2011, 1:31:00 PM9/2/11
to mozilla-dev-s...@lists.mozilla.org
On 2/09/11 9:34 AM, Eddy Nigg wrote:
> On 09/01/2011 10:22 PM, From Eddy Nigg:
>> You got already all the information you need to know. When there is
>> something to report, trust me you will know about it.
>
> But actually let me help here a little bit, perhaps even shaping some
> policies along the way....

I'll play :) but apologies in advance, wet blanket warning /!\

The answer depends on who's perspective. So, picking one set of
assumptions [&] at random, here's an answer:

No way, Jose! Not with our non-profit browser Foundation
that serves a public of 250 million parties, dependent
on the survival of the Foundation. Thanks but *NO Thanks* .

that said, onwards.

> Do you think it reasonable that CAs inform Mozilla in case certificates
> have been mistakenly issued for a high profile brand (and perhaps also
> banks and other financial institutions) and for whatever reasons? I'm
> think something along the lines of Alexa top 500 or so.

No. It's definately not reasonable, prima facie [0].

From the pov of a vendor, and Mozilla especially:

It has dramatic implications for liability, among other things. And, as
there is no strong contract between the CA and this vendor as yet [1]
vendor should seek legal advice on the ramifications before they accept
any liability shifting.

Or, show me the liability clause in the contract?

Also, we (Mozilla) have just managed to clear up own direct liability
with own contract to users, still young at 2 years ... it's not
tactically prudent to go mucking up the waters so quickly (IMHO).


> Do you think it's reasonable that CAs inform Mozilla in case keys of
> certificates for high profile brands have been compromised?

No, as above, prima facie. This is between the CA and the brand, their
contract will rule this. The CA is *the authority*. It should simply
pay damages out to the brand. Solved.

Unless, one concedes that the arrangement between the CA and the brand
is insufficient, in some sense?

If you're prepared to concede that, then our (Mozilla's) answer should be

"sure, let's talk. But it'd better be good....."

If conceded, the entire concept of *CAs as authorities* , audits,
revocation, vendors, relying parties, contracts, liability, and so forth
and so on ad nauseum is now undermined. Mozilla will need serious
answers to serious questions.

Pandorra's box?


> Do you think it's reasonable that CAs inform Mozilla in case
> certificates have been mistakenly issued for low profile brands and

> "meaningless" sites.

No (ditto).

> Or do you think for such cases the current
> revocation mechanisms are sufficient?

(Mozilla's Lawyer speaks with firmness:) liability is your problem not
ours! If you have a problem with the mechanism, go talk to PKIX.

(That's what Mozilla tells us :P )

(snip)

> Do you think it's reasonable that CAs must have controls in place to
> detect and prevent wrongful issuance of certificates for whatever reasons?

These are risk management and/or compliance questions. As they seem to
be a change in topic, I'll defer answering... <snip>

> And do you think it's
> reasonable that CAs report such attempts to Mozilla?

No.

> I'd be glad for some answers if you may, I'll continue from there.

So, as I mentioned above, pick another set of assumptions and get a
different answer. Who's interest are we protecting today?

The second big issue with all this "reasonableness" is that it questions
the sanctity of the CA, according to the PKI bible.

Such "reasonableness" hides a shift for the entire industry into a
position where, because we failed, all players now must cooperate and
work together on breaches, and/or seek some protection from some big
umbrella player e.g. Mozilla, and/or whatever other liability shifting
can be conducted.

Now, some have said that has to happen anyway [2]. But (a) we're not
seeing the climb-down necessary:

"ok, we were wrong, now what?"

It's not being merely nitpickity and toldyasoish - Peter was right to
point it out, I just had to think it out.

There is no point in talking about bringing the vendor in to the
responsibility trap unless we all fully accept that the CA-client
relationship is Fundamentally Broken. Nobody wants to be complicit in
hiding that rot, because it results in the mother of all liability shifts.

We're talking real money now. We crossed the rubicon. Major world
brand [3]; we're not talking small beer.

Also, (b) there is no institution anywhere here or close that can be
trusted to deal these proposals properly [4].

iang

[&] Including, I'm assuming "inform Mozilla" means "inform only
Mozilla" as opposed to "full and open disclosure which also informs
Mozilla."

[0] by that, I mean, without some other very careful strong elements,
about which it is unlikely that anyone knows about.

[1] by strong contract, I mean a single purpose-written document.
There is a contract, it's just not that.

[2] Maybe me included. I among many others proposed the inter-CA
approach on falsely issued certs around 2005 I guess...

[3] The cost of the Sony hacks was around $150m? What's the issuance
of a false Google or Amazon cert worth in costs? How much did the RSA
hack cost?

[4] Scratch CABForum, wrong structure.

Eddy Nigg

unread,
Sep 2, 2011, 1:56:19 PM9/2/11
to mozilla-dev-s...@lists.mozilla.org
On 09/02/2011 08:31 PM, From Ian G:

> I'll play :) but apologies in advance, wet blanket warning /!\

Thanks for the warning, unfortunately I can't do anything with your
answers. They don't make any sense for me.

So perhaps somebody else would like give some strait answers on my
questions? Perhaps Gerv or another representative of Mozilla can join in
and provide insight about what they consider reasonable for the cases I
mentioned in my little survey?

Ian G

unread,
Sep 2, 2011, 2:08:12 PM9/2/11
to mozilla-dev-s...@lists.mozilla.org
Two other questions, which I saw as disjoint.


On 2/09/11 9:34 AM, Eddy Nigg wrote:
> Do you think it's reasonable that CAs must have controls in place to
> detect and prevent wrongful issuance of certificates for whatever reasons?

Either you comply with a control that is imposed from on-high (BR has
such a control IIRC), or, you have a risk management process (again BR)
that answers that question, whether/why/how.

That said, imho: it's highly likely that risk management will say yes.
There's gotta be some controls, otherwise, what does a cert mean if it
is not checked?

(Maybe you have in mind a certain sort of control, or a certain
definition of wrong?)

> Do you think it's reasonable that CAs must have controls and procedures
> in place for swift and proactive action in case attempts to obtain
> certificates in fraudulent way are made?

Logic, ditto.

Risk control: much less likely to be in place, c.f., spam. Compliance:
you're half way to hell already, no reasonableness argument need apply.

> And do you think it's
> reasonable that CAs report such attempts to Mozilla?

No, Mozilla ain't anyone's IDS.


iang

Eddy Nigg

unread,
Sep 2, 2011, 2:15:30 PM9/2/11
to mozilla-dev-s...@lists.mozilla.org
On 09/02/2011 09:08 PM, From Ian G:

> Two other questions, which I saw as disjoint.
>

Thanks Ian, those answers made some more sense to me in relation to the
questions I asked. I'll wait for some further input....

....and continue from there.

Kyle Hamilton

unread,
Sep 2, 2011, 5:49:18 PM9/2/11
to Crypto discussion list, Peter Gutmann, mozilla-dev-s...@lists.mozilla.org, Varga....@netlock.hu, ia...@iang.org


On Thu, Sep 1, 2011 at 9:19 PM, Peter Gutmann <pgu...@cs.auckland.ac.nz> wrote:
> [NB: CC'd to the randombit cryptography list, since this is an interesting
>     point for discussion].
>
> Ian G <ia...@iang.org> writes:
>
>>What we'll likely see now is a series of breaches at multiple levels to
>>acquire and misuse certs.  We've seen compromises in the past, but what makes
>>this new is that we have evidence of an aggressive attack using the cert.
>
> I wonder if we're going to see something like the four-minute-mile phenomenon,
> until Roger Bannister did it, it was thought to be impossible, but once he'd
> proven it was possible an avalanche of others followed his lead.  So now that
> we've had repeated public cases showing you can own a CA, will others follow?

Yes. The system as it exists is built upon completely incorrect premises, that the CA will never fail and that one credential for everything is all anyone will ever need. It is fraught with singletons -- One CA, One Chain, One Credential, One Way to Assert (per mode)...

At this point, we need to figure out how to improve the revocation infrastructure -- but I don't believe that it can be done within the browser as it currently exists, and particularly not within Mozilla.

> (Two possible counterarguments: (1) For all we know this has been going on
> forever, but noone's ever noticed since the CAs, in some cases in collusion
> with the browser vendors, have kept quiet and hoped no-one would notice, and

Definitely a valid concern (especially after Mozilla's ho-hum response to Verisign's TLD training issue, Comodo's inability to conduct an appropriate risk assessment, and StartCom's silence after being taken offline for a week -- all prior to this DigiNotar debacle). I've been worried about this for several years.

> (2) Since the value provided by browser PKI is near zero, there's no point to
> owning a CA for commercial attackers, so few will bother apart from hackers
> showing off).

Once a failure of the model has been shown, expect other malefactors to follow.

Just because browser PKI is near-zero value doesn't mean that every reliance on certificates issued by public CAs will always have the same near-zero value. Without exemplars of greater value, though, near-zero is the use we get out of it.

-Kyle H

Ian G

unread,
Sep 3, 2011, 10:17:01 AM9/3/11
to mozilla-dev-s...@lists.mozilla.org
OK, let me try again. What you ask isn't reasonable. However it can be
made reasonable with a small change. Do it this way:

Walk in with your CPS. Read out these words to Mozilla, to all of us:

Liability

StartCom gives no guaranties whatsoever.... The
certification services are operated ... without
any warranty. Relying parties ... are solely
responsible ... and therefore shall bear the
legal consequences.... Under no circumstances ....
shall StartCom ... *be liable* ....

http://www.startssl.com/policy.pdf

Mozilla nods. Mozilla reads out its no-liability statement, taken from
its Firefox user agreement.

You nod. Everyone does the same thing. We all nod. We all agree.

Now, we can all have a reasonable discussion. Now, we're not afraid.
Read on...


On 2/09/11 9:34 AM, Eddy Nigg wrote:
> On 09/01/2011 10:22 PM, From Eddy Nigg:

>> You got already all the information you need to know. When there is
>> something to report, trust me you will know about it.
>

> But actually let me help here a little bit, perhaps even shaping some
> policies along the way....
>

> Do you think it reasonable that CAs inform Mozilla in case certificates
> have been mistakenly issued for a high profile brand (and perhaps also
> banks and other financial institutions) and for whatever reasons? I'm
> think something along the lines of Alexa top 500 or so.
>

> Do you think it's reasonable that CAs inform Mozilla in case keys of
> certificates for high profile brands have been compromised?
>

> Do you think it's reasonable that CAs inform Mozilla in case
> certificates have been mistakenly issued for low profile brands and

> "meaningless" sites. Or do you think for such cases the current


> revocation mechanisms are sufficient? Perhaps, do you think there might

> be limit for such mistaken issuance even for low-profile sites?


>
> Do you think it's reasonable that CAs must have controls in place to
> detect and prevent wrongful issuance of certificates for whatever reasons?
>

> Do you think it's reasonable that CAs must have controls and procedures
> in place for swift and proactive action in case attempts to obtain

> certificates in fraudulent way are made? And do you think it's


> reasonable that CAs report such attempts to Mozilla?
>

Eddy Nigg

unread,
Sep 3, 2011, 10:28:28 AM9/3/11
to mozilla-dev-s...@lists.mozilla.org
On 09/03/2011 05:17 PM, From Ian G:

> OK, let me try again. What you ask isn't reasonable. However it can
> be made reasonable with a small change. Do it this way:

Ian, you are not even worth that I answer you in seriousness, you have
no clue about anything you talk about. I will talk with people that
appear to be normal and are able to answer a normal answer to a normal
question. Keep your politics out from here if possible.

As such you can learn about liability and negligence with DigiNotar,
just follow the news.

Eddy Nigg

unread,
Sep 3, 2011, 10:54:50 AM9/3/11
to mozilla-dev-s...@lists.mozilla.org
On 09/03/2011 05:17 PM, From Ian G:
> Walk in with your CPS. Read out these words to Mozilla, to all of us:
>
> Liability

Oh, and by the way I will not discuss with you nor with anybody else
legal aspects and liability issues of our policy - except in case a
binding framework and requirements are established by Mozilla, being it
through policy or otherwise.

Florian Weimer

unread,
Sep 3, 2011, 1:53:04 PM9/3/11
to Ian G, mozilla-dev-s...@lists.mozilla.org, Jeff....@kingsmountain.com, Varga Viktor, Peter Gutmann
* Ian G.:

> What we'll likely see now is a series of breaches at multiple levels
> to acquire and misuse certs. We've seen compromises in the past, but
> what makes this new is that we have evidence of an aggressive attack
> using the cert.

How so? TLS with the most widely used cipher suites provides precious
little evidence.

Moudrick M. Dadashov

unread,
Sep 3, 2011, 3:28:32 PM9/3/11
to dev-secur...@lists.mozilla.org
On 9/3/2011 5:54 PM, Eddy Nigg wrote:
> On 09/03/2011 05:17 PM, From Ian G:
>> Walk in with your CPS. Read out these words to Mozilla, to all of us:
>>
>> Liability
>
> Oh, and by the way I will not discuss with you nor with anybody else
> legal aspects and liability issues of our policy - except in case a
> binding framework and requirements are established by Mozilla, being
> it through policy or otherwise.
>
BTW liability of QC issuers is in the Civil code. It has insurance
requirements too.

Thanks,
M.D.

--
M.D.
Cell: +370-699-26662

Ian G

unread,
Sep 4, 2011, 8:22:40 AM9/4/11
to mozilla-dev-s...@lists.mozilla.org
On 4/09/11 12:54 AM, Eddy Nigg wrote:
> On 09/03/2011 05:17 PM, From Ian G:
>> Walk in with your CPS. Read out these words to Mozilla, to all of us:
>>
>> Liability
>
> Oh, and by the way I will not discuss with you nor with anybody else
> legal aspects and liability issues of our policy -


Thanks! That makes the case elegantly. We're in total agreement then:

Under no circumstances ....
shall StartCom ... *be liable* ....

http://www.startssl.com/policy.pdf

You declare that your liability is zero.

As long as you are happy with that, you do not really need to discuss
it. There's nothing to discuss. The gordian knot is cut.


> except in case a
> binding framework and requirements are established by Mozilla, being it
> through policy or otherwise.


+1. Let's do it! [0] It's pretty clear that no CA nor vendor will
talk about it until it is established by policy.

Then, as long as vendors and CAs agree (e.g., you & Mozilla and the
lawyers), it becomes entirely reasonable to have a discussion about
reducing risks.

However, without that agreement, liabilities may be being shifted under
the covers...

In which case, you and Mozilla and everyone else here are advised VERY
LOUDLY to NOT discuss it AT ALL any implications to your liabilities.

As you say.

iang

[0] Long thread somewhere around here:
"BR17.1 - Liability MUST be fully disclaimed."
http://groups.google.com/group/mozilla.dev.security.policy/msg/c7a37faf658ce757

[1] lawyers to work out the details in BR...
[2] lawyers will tell you the details...

Eddy Nigg

unread,
Sep 5, 2011, 9:11:16 AM9/5/11
to mozilla-dev-s...@lists.mozilla.org
On 09/03/2011 05:28 PM, From Eddy Nigg:

>
> As such you can learn about liability and negligence with DigiNotar,
> just follow the news.
>

http://webwereld.nl/nieuws/107826/-maak-geheimhouden-hack-diginotar-strafbaar-.html

Peter Gutmann

unread,
Sep 5, 2011, 11:26:54 PM9/5/11
to eddy...@startcom.org, mozilla-dev-s...@lists.mozilla.org
Eddy Nigg <eddy...@startcom.org> writes:

>http://webwereld.nl/nieuws/107826/-maak-geheimhouden-hack-diginotar-strafbaar-.html

Interesting:

Het bewust niet bekendmaken van digitale inbraken die mensenlevens in gevaar
brengen, zoals bij DigiNotar, moet strafbaar worden gesteld. De directe
meldingsplicht moet in de wet worden opgenomen.

which is (approximately):

Deliberately concealing intrusions [that endanger human lives] as Diginotar
did must be made an offense. Mandatory breach notification must be made
law.

So since the browser vendors have chosen to ignore this, governments are going
to step in and regulate instead. I'm not sure that that's going to lead to an
optimal result...

(OK, the story is quoting an MP so it may be just political posturing, but
let's wait and see).

Peter.

Gervase Markham

unread,
Sep 9, 2011, 5:55:24 PM9/9/11
to mozilla-dev-s...@lists.mozilla.org
My personal views:

On 01/09/11 16:34, Eddy Nigg wrote:
> Do you think it reasonable that CAs inform Mozilla in case certificates
> have been mistakenly issued for a high profile brand (and perhaps also
> banks and other financial institutions) and for whatever reasons? I'm
> think something along the lines of Alexa top 500 or so.

Yes.

> Do you think it's reasonable that CAs inform Mozilla in case keys of
> certificates for high profile brands have been compromised?

Yes.

> Do you think it's reasonable that CAs inform Mozilla in case
> certificates have been mistakenly issued for low profile brands and
> "meaningless" sites. Or do you think for such cases the current
> revocation mechanisms are sufficient? Perhaps, do you think there might
> be limit for such mistaken issuance even for low-profile sites?

Yes; no; no.

> Do you think it's reasonable that CAs must have controls in place to
> detect and prevent wrongful issuance of certificates for whatever reasons?

Yes.

> Do you think it's reasonable that CAs must have controls and procedures
> in place for swift and proactive action in case attempts to obtain
> certificates in fraudulent way are made? And do you think it's
> reasonable that CAs report such attempts to Mozilla?

Yes; that's the $64,000 question. Should CAs have to report unsuccessful
attempts? And how do you define "attempt" if it's unsuccessful? We don't
want an email about every network scan.

Gerv

Eddy Nigg

unread,
Sep 9, 2011, 6:23:14 PM9/9/11
to mozilla-dev-s...@lists.mozilla.org
On 09/10/2011 12:55 AM, From Gervase Markham:
> Do you think it's reasonable that CAs inform Mozilla in case
> certificates have been mistakenly issued for low profile brands and
> "meaningless" sites. Or do you think for such cases the current
> revocation mechanisms are sufficient? Perhaps, do you think there might
> be limit for such mistaken issuance even for low-profile sites?
> Yes; no; no.

OK - perhaps here we have to define what we call mistake. Because I'm
quite sure that Mozilla isn't interested in an explanation of every
revocation - for example non-adherence to a CA policy or wrongful
identification or incomplete verification could be such a mistake too,
reason for revocation.

In my personal opinion I believe that reporting for such low-profile
targets would be an overkill and revocation mechanisms should be
sufficient. As opposed to what we called the high-profile sites.

Michael Ströder

unread,
Sep 20, 2011, 11:04:58 AM9/20/11
to mozilla-dev-s...@lists.mozilla.org
Eddy Nigg wrote:
> On 09/03/2011 05:17 PM, From Ian G:
>> Walk in with your CPS. Read out these words to Mozilla, to all of us:
>>
>> Liability
>
> Oh, and by the way I will not discuss with you nor with anybody else legal
> aspects and liability issues of our policy - except in case a binding
> framework and requirements are established by Mozilla, being it through policy
> or otherwise.

Pfft...! (I now removed the trust bits from Startcom's CA cert...)

Ciao, Michael.

Eddy Nigg

unread,
Sep 20, 2011, 4:22:33 PM9/20/11
to mozilla-dev-s...@lists.mozilla.org
On 09/20/2011 06:04 PM, From Michael Ströder:
> Eddy Nigg wrote:
>> Oh, and by the way I will not discuss with you nor with anybody else
>> legal aspects and liability issues of our policy - except in case a
>> binding framework and requirements are established by Mozilla, being
>> it through policy or otherwise.
> Pfft...! (I now removed the trust bits from Startcom's CA cert...)

Oh well, perhaps you should probably remove all the others too except in
case you'll find a CA willing to discuss their particular policy and
their approach of legal aspects and liability issues here at this list
- if you do, you can enable it again.

For now I noted that you stopped being a relying party for now and in
the future. Thanks.

Kaspar Brand

unread,
Sep 22, 2011, 5:32:27 AM9/22/11
to dev-secur...@lists.mozilla.org
On 20.09.2011 17:04, Michael Ströder wrote:
> Eddy Nigg wrote:
>> Oh, and by the way I will not discuss with you nor with anybody else legal
>> aspects and liability issues of our policy - except in case a binding
>> framework and requirements are established by Mozilla, being it through policy
>> or otherwise.
>
> Pfft...! (I now removed the trust bits from Startcom's CA cert...)

Welcome to the club.
https://groups.google.com/group/mozilla.dev.security.policy/msg/be80c71b7dc7f001?q=%22keep+any+trust+bits+for+the+Startcom+roots+unset%22

Kaspar

Eddy Nigg

unread,
Sep 22, 2011, 7:57:24 AM9/22/11
to mozilla-dev-s...@lists.mozilla.org
On 09/22/2011 12:32 PM, From Kaspar Brand:
> Welcome to the club.

Interesting that some are obsessed to hold me and StartCom to a higher
standard which I probably should take as a compliment.

Kaspar, I haven't heard from you for while...how are you today?
Apparently nothing significant happened during the last half year,
finally and suddenly you found a good opportunity to let your voice
heard? Well done.
Reply all
Reply to author
Forward
0 new messages