Friday, April 08, 2011

more on global CA infrastructure from Dan Wallach

I decided not to update my previous post, it was getting a little straggly with so many updates.  Anyway, Dan Wallach's content-dense post is worth of its own entry here on this humble blog.


Dan Wallach writing on Freedom to Tinker makes several good points in following up on the recent CA compromise, here:
http://www.freedom-to-tinker.com/blog/dwallach/building-better-ca-infrastructure



Dan includes a bunch of useful links and discusses a couple of short-term promising approaches, for example:
A straightforward idea is to track the certs you see over time and generate a prominent warning if you see something anomalous. This is available as a fully-functioning Firefox extension, Certificate Patrol. This should be built into every browser.
and,
In addition to your first-hand personal observations, why not leverage other resources on the network to make their own observations? For example, while Google is crawling the web, it can easily save SSL/TLS certificates when it sees them, and browsers could use a real-time API much like Google SafeBrowsing. A research group at CMU has already built something like this, which they call a network notary. In essence, you can have multiple network services, running from different vantage points in the network, all telling you whether the cryptographic credentials you got match what others are seeing. Of course, if you're stuck behind an attacker's firewall, the attacker will similarly filter out all these sites.
UPDATE: Google is now doing almost exactly what I suggested

The joke has always been - every year starts fresh with: "This is the Year of PKI".  PKI will never have a "year" - it will continue to develop organically, being improved locally and globally through the efforts of lots of security technologists working collaboratively,  unfortunately sometimes in response to the efforts of bad actors.

No comments: