Reliance Upon “Inked” signatures

More than once in the past few months I have been told that a digital signature is not good enough for a given transaction.  This has prompted me write this post, I have even waited a few weeks since the last one to mellow my anger.

I despise the interpretations of law where the “letter of the law” is more important than the “spirit of the law”.  In many cases the letter of the law completely contradicts the idea of what is trying to be accomplished by passing the law in the first place.  A good example is HIPPA laws forbidding the use of email while condoning the use of FAX.  The spirit of the law is to prevent the use of technology that is easily intercepted.  Ignoring the fact that email encryption exists, the law ignores changes in technology like the transmission of faxes over the internet, ignoring that how many nurses and others walk by the faxes before the sensitive documents are delivered to the proper person.

Now, lets clear up some terminology, a “digital signature” is a blob of electronic data that can be validated by a public key, as having been created by a unique private key, and is based on public-private key encryption.  The 2 popular forms for creating these are X.509, and PGP.  X.509 is used every single day by most everyone using the internet, it is the basis for SSL and TLS.  Users of Window who have installed device drivers have seen these signatures (or lack there of) when presented with the “Always Trust Software From X Company” or “Install drivers anyway”.  PGP signatures are used to validate the software packages of almost all Linux Systems, even if you aren’t  doing it manually.   These signatures are used because they are not feasible to forge (under normal circumstances) and the signing keys can be revoked should they be compromised. Furthermore, a Certificate Authority usually does some work to validate the persons identity before issuing a certificate to someone, this can often a better check than most notaries do.

An “electronic signature” is defined as a unique bit of electronic data that uniquely identifies a person.  In my mind, spirit of the of the law would say that an image that anyone could surreptitiously create would not qualify.

Finally the most abused term is “e-signature”, used to describe both digital signatures and pictures of signatures on documents.  With no clear usage and no clear definition, I avoid this term altogether.  Instead I use the term quoted term “inked”, this is consistent with the idea that it looks like someone really signed a document with an ink pen, to mean either a real signature with ink, or an image of it, and “digital signature” to indicated the encryption based, signatures.

Now an “inked” signature on a fax are extraordinarily easy to forge, all that is needed is an example of a signature.  This could be as easy as picking up a signed credit card receipt,  signature ink stamps, or an image of a signature saved unencrypted on a harddrive to send on faxes (yes I know people who do this).  Once an image is obtained, it is a very simple task to superimpose a signature on a given document, and send it via fax.  Someone out there reading this is saying “that can’t be, it would be easy to tell”, well fax is a very low resolution so any ametuer can pull it off with ease, and since it is a simple black and white manipulation, you don’t have be able to put Britney Spears’ head on a porn stars body and make it look reasonable to make this work. Even if you know that someone is out there forging your signature, you can’t revoke it, and create a new one.

Given the ease of making these manipulations, you would hope that they would at least require the documents to be notarized before allowing the signed documents to be binding.  No, they aren’t.  Someone in another town could forge your signature send it off and these groups would take it as legally binding.

Knowing all of this, and knowing that my state (along with most others) recognize digital signatures as legally binding, I sent the corporations in question a digitally signed document, and they refused, insisting that I fax them an “inked” signature, without requiring notarization.  This is purely a misunderstanding on the legal teams part as to the spirit of the law vs the letter.   Somehow they think that they are covering themselves legally should the document be challenged.  Any good lawyer should be able to show how easy it is to forge these signatures.

If I had the time, energy and money I would love to challenge the validity of these documents.

Mozilla against Debian?

There were many articles during the last few weeks concerning the Firefox issue on Debian and it seems, that many are getting it completely wrong. So even too much was said already on this subject, I decided to write this article and hope – at last – to have the right things put on the tables. The issue at hand is of course the much debated request from Mozilla to the Debian developers to refrain from using the Firefox trademark, as long as they change the source code.

Why? It’s not only because of the Firefox logo non-free, but because Firefox stands for a certain standard, policy and quality. Let me explain this and give you a very good reason, why Debians version of Firefox can’t be called Firefox. One of the reasons I see is, that the Debian developers do some really stupid things and add insecure stuff to the code…..Yes, you heard right!

Debian adds CA certificates of “certification authorities”, which were never audited or comply to expected industry standards and behaviors, to the trusted certificates store of Firefox (This according to a claim made by one of these CA’s, which includes a screen shot)! Now, Mozilla invests quite some time, effort and resources into this issue, to make sure, that certification authorities live up to their promises. Mozilla developed clear guidelines and a CA policy, which defines, which conditions must be met for certification authorities, in order to be shipped as a trusted CA within Firefox. Mozilla in return is to a certain extend responsible for this and has to comply to its own policy….

And here comes Debian, changes the rules and therefore can’t mark it as Firefox! They can call it whatever they like, but it’s not the brand of Firefox anymore, specially by doing such stupid things! Mozilla can’t take responsibility of these changes made by Debian and therefore had to request to either change this dangerous behavior by Debian and refrain from adding untrusted CA’s to their certificate store or change the brand name and logo. Needless to say, that Debian endangers its own users by doing this, but that’s perhaps their beer…

Note: I’m not affiliated with Mozilla in any way nor do I have any information from Mozilla concerning this issue. Since I work at a certification authority, I’m aware of this behavior by Debian and it was my own reasoning and conclusion on this subject.

SSL, DNS Poisoning/Pharming, Phishing and DNSSEC

I have been reading emails lately from several mailing lists, and oddly enough the same subject is being discussed from as many angles as there are mailing lists.  It made me think that I should actually put my thoughts down for people to read.

SSL has been touted as the answer to assurance of website identity,and while there is no doubt that SSL can play a significant role, it’s certainly not bulletproof as is shown by this and this. For the sake of argument though, we will ignore all the issues of assuring a companies identity.  SSL encryption can’t tell you if you have been sent to the correct site, it only tells you if the DNS (looked up from your machine) matches the name in the certificate, this is a real weakness if someone or something has modified your hosts file or poisoned the DNS.  This problem is made a lot worse by the fact that DNS is NOT secure.

“SSL would work a lot better if DNS were secured”, you say? Well it can be, but most people don’t, DNSSEC is designed to solve these problems.  WikID is another choice, but it doesn’t solve the DNS insecurities it mitigates the threat by doing mutual authentication. I like DNSSEC because it can be done easily with existing software.

Another issue is the fact that DNS doesn’t have any way to tell you that the websites address doesn’t match the title being displayed by the HTML, so if a phishing site gets an SSL cert that matches their domain name something like https://myobviouslyfakeip-255-255-255-255.mynonexsisitantISP.com  and the site says “eBay”, there is nothing that can be done.

Be default in several browsers, like IE, revocation checking isn’t turned on by default, this makes compromised certs re-usable.

Finally, because so many people don’t trust certificate authorities, are too cheap, or whatever and therefore choose to use self-signed certs users are conditioned to ignore warning boxes.  This means that not only will users ignore all warnings to not do this, but the have been trained to think that this is not really a problem.

Now what about validating the ownership of a domain, how does a CA validate that the person asking for the SSL cert SHOULD be asking for it?  Well you could try sending an email to the admin address in the resource record, if that email is updated, and works and is published.  You could ask for some paper proof, if the persons on the paperwork is the name of the person doing the requesting.  But the only REAL way to check ownership of the domain is to register the domain from the CA, or for the person doing the requesting to do some administrative task.

Well if the requester were to transfer DNS to the CA, that would prove ownership, and the CA could secure the DNS with DNSSEC, now the DNS is safe. Another choice would be for the actual registration of a domain to actually happen at the CA

Identity and Certificate Authorities

The need for a validated identity in the digital world is becoming more and more pronounced, still most people aren’t even aware that there are solutions to provide a digital identity. But then again, what is a digital identity and who is it that would issue something equivalent to a digital drivers license.

We could sit and kick around all the possibilities for a digital drivers license, PGP, X.509 certs, Federated Identity etc…. and discuss the strengths and weaknesses of each, but I am more interested in moving towards the future.

Identity 2.0 is a very interesting idea, if you haven’t seen it I highly recommend you that you watch this and this. But how do we know that any of the data for a sxip persona has been validated, that this person is who they say they are. Its a sad state of affairs, but when someone signs up for your website, you have no idea if that person is who they say they are, if they are the age to claim to be or even that they are a human.

Certificate Authorities are supposed to validate their users, but in most cases they have failed miserably, and now a whole new class of “highly validated” or “high assurance” certificates is emerging. If we stop and think though, you are supposed to be able to tell the validation level of a cert by looking at the class level. Class 1 certs are email validated, class 2 are “reasonable checking” which varies from CA to CA, and class 3 are “strong checking”, and these class 3 certificates are supposed to be as good as need be. The validity of these things have been watered down by bad practices, but if you could trust that the CA was doing what they are supposed to be doing, then class 3 email certificates would be an excellent place to start your “digital drivers license”.

Well, without mentioning names of Certificate Authorities that haven’t done their job, there are 2 that are definitely trying, StartCom and Thawte. StartCom is following all the “best practices”, including such things as issuing the different class levels of certificates from different Sub-CAs, so it is easy to identify the class level of a certificate simply by looking at the issuing chain.

If we suppose that a class 2 certificate is good enough (class 2 certs from StartCom are more thoroughly checked than class 3 certificates from other CAs) we have a good starting point, but how do we pass this around, and how do you go about protecting this bit of data especially with digital signatures being legally binding in different circumstances.

Protecting a certificate on a smartcard gives you some real benefits, not the least of which is limiting how many copies are lying around (how many copies of your drivers license do you want lying around?).

Still, if you say that a client certificate is equivalent to a digital drivers license, they you have to ask, what good is it, what can I do with it. I am hoping that with input and ideas from others that client certificates will be able to be used as strong authentication for systems like Sxip.

Systems like Sxip are trying to solve the issue of who you are when you hit a website, but do I trust that the homesite did due diligence when validating you? Since we can’t trust the big names in the CA world to do it, how can we trust these other sites?

It seems like the only way we can trust identity claims, is if we trust the source, so which source do we trust? In the real world we assume that drivers licenses and passports are subject to due diligence, but we aren’t 100% sure, and then we have the problems of fake IDs.

Identity is a bit of a sticky-wicket if you want to be sure that you are talking to who you think. But with things like HIPPA it becomes VERY important, even if the laws aren’t written terribly well.

I am hoping that the StartSSL community (a.k.a. the StartCom Web of Trust) will be able to come up with solutions, and pave the way to a bright future.