Mozilla against Debian?

There were many articles during the last few weeks concerning the Firefox issue on Debian and it seems, that many are getting it completely wrong. So even too much was said already on this subject, I decided to write this article and hope – at last – to have the right things put on the tables. The issue at hand is of course the much debated request from Mozilla to the Debian developers to refrain from using the Firefox trademark, as long as they change the source code.

Why? It’s not only because of the Firefox logo non-free, but because Firefox stands for a certain standard, policy and quality. Let me explain this and give you a very good reason, why Debians version of Firefox can’t be called Firefox. One of the reasons I see is, that the Debian developers do some really stupid things and add insecure stuff to the code…..Yes, you heard right!

Debian adds CA certificates of “certification authorities”, which were never audited or comply to expected industry standards and behaviors, to the trusted certificates store of Firefox (This according to a claim made by one of these CA’s, which includes a screen shot)! Now, Mozilla invests quite some time, effort and resources into this issue, to make sure, that certification authorities live up to their promises. Mozilla developed clear guidelines and a CA policy, which defines, which conditions must be met for certification authorities, in order to be shipped as a trusted CA within Firefox. Mozilla in return is to a certain extend responsible for this and has to comply to its own policy….

And here comes Debian, changes the rules and therefore can’t mark it as Firefox! They can call it whatever they like, but it’s not the brand of Firefox anymore, specially by doing such stupid things! Mozilla can’t take responsibility of these changes made by Debian and therefore had to request to either change this dangerous behavior by Debian and refrain from adding untrusted CA’s to their certificate store or change the brand name and logo. Needless to say, that Debian endangers its own users by doing this, but that’s perhaps their beer…

Note: I’m not affiliated with Mozilla in any way nor do I have any information from Mozilla concerning this issue. Since I work at a certification authority, I’m aware of this behavior by Debian and it was my own reasoning and conclusion on this subject.

Sxipping In, User Centric Identity and its Relationship to a CA

Sxip, OpenID, CardSpace(formerly InfoCard) and i-names are user centric models of identity.

I find the whole idea about this extremely interesting, but there are some things to consider.

Privacy… am I going to give this site my real info?

Authority… how are sites to know that I am providing my real info, or do they care?

These user centric models of data mean that the user can create their own persona to carry around from site to site, in some cases I may want absolute anonymity, say if I am Chinese and trying to blog, in other cases I may want 100% certainty that I am who I say I am. These user centric models mean that I can claim anything I like, and that is fine for anonymous access, so I am more concerned with providing reasonable certainty that I am who I say I am.
Let’s face it, with spammers and phishers and every other kind of creep out there, its really hard to state that a person visiting your site is who they claim to be. So how can I state that I am who I say I am in a trustworthy way. You could think of this as something like trying to validate that an email came from the person listed in the “from”.
On the internet just about everything is easy to fake, only encryption can really help. So we come to Public/Private key encryption. As I have stated before PGP is only good for anonymous and psuedo-anonymous encryption, but actually any keypair that isn’t backed up by a statement from a trusted source is going to have the same problems. This is because without a trusted source, there is no validation that you are getting the key you think and not a well crafted fake. The only people capable of making trustworthy identity assertions are governments (ok, this is a bit of an exaggeration but its the closest to the truth as I am going to bother with), the only other group that is trying to make identity assertions are Certificate Authorities, like StartCom and Verisign. However, not all CAs have the same rules about validating the identity of its users.

The assertion of an identity is a tricky business, and I have set forth the plan earlier on how to make it reliable, but the ruling has been that relying on volunteers means that their is no reliability. Still, the ability for a user to associate a persona with a particular certificate, or group of certificate would be like having a choice of ID cards, some very reliable, like a drivers license, some not, like a library card. I see a great deal of value in making a CA a homesite, as making a CA a membersite.

As a homesite, users could have a choice place to share their data from, that is authoritative. As a membersite, a CA could speed up user registration.

Either way there seems to a lot of reasons to make the association between a user-centric account, and a CA account or certificate.

Point Systems for Persona Validations

Other CAs, that use a WoT, use a point system to show your validation status. Points that are able to be assigned ranging from 5 to 35 points.  With 50 points being the standard before you are “trusted” and you get to have your name in your certificate.

This is to get around the fact that most people don’t know how to check the class level of a certificate, and even if they did its not represented uniformly, because there is no data in the certificate that tells you what class level it is.  The “Best practices” say that the CA should issue different class levels from different Intermediate Authorities, but not everyone does.

Back to the point…

In the context of a persona validation, is it valid to say “I have a 14% level of belief that this person is who they say they are”? In the context of a Notary Public the answer is “no”.  Either you believe this person and their ID or you don’t.  You countersign their document or you don’t.  Yes yes I know, the Notary System for the web isn’t that exact, and you can’t trust that people are doing their job, so you counteract their inexperience, by not allowing them to assign as many points. But does this thought pattern really hold water?  Especially if there is no legal ramification for a Notary, if nobody is held liable for these assertions, who cares if they are assigning 5 points or 150 points.

In my opinion, the only sane way to handle persona validations is in a boolean fashion, you believe the person, or you don’t. It should be looked at the same way as a Notary Public (or at least the way Notary Publics SHOULD be looking at their job) “this is a legal document, if there is fraud I am liable, do I believe this person, and do I believe that they are not under duress”.  If you don’t, then don’t make the assertion.

Perceived Value of Certs vs PGP

I really want peoples comments on this post.

A bit of information, Class levels for certificates are loosely agreed upon by the CA market, but the checking done varies radically between CAs. That being said, certificate class levels are as follows:

1. Email address verified.
2. Reasonable checking
3. Thorough checking
4. Government level checking

• What level of trust do you assign the different class levels of certificates?
• Do you trust the CA to follow through?
• Does Class 1 certification with “Community validation” mean anything, even if it has OID metadata to support this claim.
• Does a certificate mean anything more to you than a PGP key?
• PGP keys can show you who signed the key, does a PGP cert from CAcert or GSWoT mean anything to you?
• Does a certificate attached to a PGP key mean anything to you?
• Do you trust PGP or CAs more? if PGP, do you know that a CA generally insures its certificates, do you care?

All of these questions are based around the question being kicked around.  Do class 1 certs mean anything and can they be made to be meaningful?

While the PGP questions seem unrelated, my premise is that PGP keys can’t TRULY be trusted unless you validate the person yourself, otherwise it is really only good for anonymous or psuedo-anonymous transactions. And that the only possible piece of data worth being trusted on a PGP key is the email address.  This puts it (at least in my eyes) on par with a class 1 certificate.

SSL, DNS Poisoning/Pharming, Phishing and DNSSEC

I have been reading emails lately from several mailing lists, and oddly enough the same subject is being discussed from as many angles as there are mailing lists.  It made me think that I should actually put my thoughts down for people to read.

SSL has been touted as the answer to assurance of website identity,and while there is no doubt that SSL can play a significant role, it’s certainly not bulletproof as is shown by this and this. For the sake of argument though, we will ignore all the issues of assuring a companies identity.  SSL encryption can’t tell you if you have been sent to the correct site, it only tells you if the DNS (looked up from your machine) matches the name in the certificate, this is a real weakness if someone or something has modified your hosts file or poisoned the DNS.  This problem is made a lot worse by the fact that DNS is NOT secure.

“SSL would work a lot better if DNS were secured”, you say? Well it can be, but most people don’t, DNSSEC is designed to solve these problems.  WikID is another choice, but it doesn’t solve the DNS insecurities it mitigates the threat by doing mutual authentication. I like DNSSEC because it can be done easily with existing software.

Another issue is the fact that DNS doesn’t have any way to tell you that the websites address doesn’t match the title being displayed by the HTML, so if a phishing site gets an SSL cert that matches their domain name something like https://myobviouslyfakeip-255-255-255-255.mynonexsisitantISP.com  and the site says “eBay”, there is nothing that can be done.

Be default in several browsers, like IE, revocation checking isn’t turned on by default, this makes compromised certs re-usable.

Finally, because so many people don’t trust certificate authorities, are too cheap, or whatever and therefore choose to use self-signed certs users are conditioned to ignore warning boxes.  This means that not only will users ignore all warnings to not do this, but the have been trained to think that this is not really a problem.

Now what about validating the ownership of a domain, how does a CA validate that the person asking for the SSL cert SHOULD be asking for it?  Well you could try sending an email to the admin address in the resource record, if that email is updated, and works and is published.  You could ask for some paper proof, if the persons on the paperwork is the name of the person doing the requesting.  But the only REAL way to check ownership of the domain is to register the domain from the CA, or for the person doing the requesting to do some administrative task.

Well if the requester were to transfer DNS to the CA, that would prove ownership, and the CA could secure the DNS with DNSSEC, now the DNS is safe. Another choice would be for the actual registration of a domain to actually happen at the CA

Making a Digital Identity Assertion like the Notary Public System

In the real world when you have a very important document that needs to be signed and the identity of the signor be validated, you get a Notary Public involved. The Notary checks the signors ID, witnesses the signature, and then countersigns the document and stamps it. Then if the Notary is following the “model notarial act” they and the signor sign a notary journal. This makes the signature more legally binding than a normal signature. This notarization process is necessary on many documents like wills, loans and adoption papers.

This whole process is necessary because you can’t imprint your photo ID onto a piece of paper, and even if you could somehow imprint it onto the piece of paper it wouldn’t be a good idea to have all those details on a piece of paper.

An X.509 certificate is very much equivalent to an inked signature and in some states here in the US they are just as legally binding. But what about a Notaries countersigning capability? Well, if we look at Class 3 and Class 4 certificates and the checking that is supposed to be done for them, then the Notarization process is already done, because the ID check is done. This makes the Notary process almost completely unnecessary, or it would be if the certs were protected, say on a smartcard, to prevent misuse.

Because of the fact that most people don’t protect their certificates properly, and the TIME of a signature is very important, eNotarization, becomes reasonable again.

So how would a CA do due diligence for identity validation, to create a class 3 or 4 certificate that means what it is supposed to. Well the obvoius answer is to model a system after a real world system that is supposed to address the same problem, and try to eliminate the problems that have presented themselves.

So what should a Notary be doing?

Narrowing the various powers of a Notary Public down to what the office. This sounds like what a Web of Trust Notary should be doing
Ignoring the fact that lots of states don’t require any training or testing for Notaries, a Notary should be familiar with the photo ids, and should be able to identify a fake. So they can validate the signature.

What process does a Notary follow?

Ideally this

So what would need to be done for persona validation for an electronic Notariztion?

Ideally, exactly the same thing with a few considerations.

• Notary seals are used to show that 1, they are a notary, and 2 that it is the Notary doing the validation, not someone forging a signature.  The only way to get this kind of certainty in the electronic world is to protect the Notarys cert on a smartcard.
• Notary Publics must be bonded (and sometimes insured) electronic Persona validation means nothing if the Notaries aren’t similarly covered.
• Notary Publics are subject to malfeasance rules, electronic Notaries must also be subject to such regulations.
• Notary Publics (in states that have updated laws) must show knowledge of the laws that govern them AND have manuals that help them spot fake IDs. Electronic Notaries also need to have this knowledge and be able to prove it.

Identity and Certificate Authorities

The need for a validated identity in the digital world is becoming more and more pronounced, still most people aren’t even aware that there are solutions to provide a digital identity. But then again, what is a digital identity and who is it that would issue something equivalent to a digital drivers license.

We could sit and kick around all the possibilities for a digital drivers license, PGP, X.509 certs, Federated Identity etc…. and discuss the strengths and weaknesses of each, but I am more interested in moving towards the future.

Identity 2.0 is a very interesting idea, if you haven’t seen it I highly recommend you that you watch this and this. But how do we know that any of the data for a sxip persona has been validated, that this person is who they say they are. Its a sad state of affairs, but when someone signs up for your website, you have no idea if that person is who they say they are, if they are the age to claim to be or even that they are a human.

Certificate Authorities are supposed to validate their users, but in most cases they have failed miserably, and now a whole new class of “highly validated” or “high assurance” certificates is emerging. If we stop and think though, you are supposed to be able to tell the validation level of a cert by looking at the class level. Class 1 certs are email validated, class 2 are “reasonable checking” which varies from CA to CA, and class 3 are “strong checking”, and these class 3 certificates are supposed to be as good as need be. The validity of these things have been watered down by bad practices, but if you could trust that the CA was doing what they are supposed to be doing, then class 3 email certificates would be an excellent place to start your “digital drivers license”.

Well, without mentioning names of Certificate Authorities that haven’t done their job, there are 2 that are definitely trying, StartCom and Thawte. StartCom is following all the “best practices”, including such things as issuing the different class levels of certificates from different Sub-CAs, so it is easy to identify the class level of a certificate simply by looking at the issuing chain.

If we suppose that a class 2 certificate is good enough (class 2 certs from StartCom are more thoroughly checked than class 3 certificates from other CAs) we have a good starting point, but how do we pass this around, and how do you go about protecting this bit of data especially with digital signatures being legally binding in different circumstances.

Protecting a certificate on a smartcard gives you some real benefits, not the least of which is limiting how many copies are lying around (how many copies of your drivers license do you want lying around?).

Still, if you say that a client certificate is equivalent to a digital drivers license, they you have to ask, what good is it, what can I do with it. I am hoping that with input and ideas from others that client certificates will be able to be used as strong authentication for systems like Sxip.

Systems like Sxip are trying to solve the issue of who you are when you hit a website, but do I trust that the homesite did due diligence when validating you? Since we can’t trust the big names in the CA world to do it, how can we trust these other sites?

It seems like the only way we can trust identity claims, is if we trust the source, so which source do we trust? In the real world we assume that drivers licenses and passports are subject to due diligence, but we aren’t 100% sure, and then we have the problems of fake IDs.

Identity is a bit of a sticky-wicket if you want to be sure that you are talking to who you think. But with things like HIPPA it becomes VERY important, even if the laws aren’t written terribly well.

I am hoping that the StartSSL community (a.k.a. the StartCom Web of Trust) will be able to come up with solutions, and pave the way to a bright future.

The StartCom Web of Trust Project

Those of us that are unhappy with the existing Web of Trust projects that are out there, especially those that are involved with Certificate Authorities are creating a new one.  This is mostly due to the fact that the others are broken beyond repair.  StartCom is a CA that is already, or soon will be, included into most of the major browsers and Operating Systems.  They have done a spectacular job of getting organized and doing everything that is necessary to become trusted; however, due to the fact that their CPS states that all certificates need to be insured, creating trust based on the word of someone other than the staff at StartCom just hasn’t been acceptable.

So starting now, we are going to try to fix the problems that plague other WoTs, and create a policy that will allow people and companies to be validated in such a way that the validation would hold up, not only for insurance but in a court of law as well.   On staff we have a Notary Public, several Notary/Assurers from other CAs, the person responsible for writing the StartCom CPS, and we have the support of the CA.