[TrustBar] [Fwd: Re: Low assurance SSL CAs]

Amir Herzberg herzbea at macs.biu.ac.il
Wed Feb 23 16:53:11 EST 2005 

Duane wrote:
> On Tue, February 22, 2005 20:15, Amir Herzberg said:
>>I am very supportive of your first proposal. In fact, what TrustBar
>>already does is allow the user to select name/logo for each CA (by
>>default this is the name of the CA, or logo if it is a CA we took the
>>trouble of putting the logo in our code - currently only for VeriSign
>>but we hope to add few more soon; and it is very easy to select a logo
>>by the user). This already allows user to distinguish between more
>>trusted and less trusted identifications (e.g. by verisign cf. to by
>>some of the less careful CAs - and many CAs make very limited
>>validations)
> 
> Any chance of adding a logo for CAcert by default as well? :)
I'm not sure if you are serious or not. Anyway, in principle yes, in 
practice it may take a while since most of our energies and time are 
dedicated to further R&D. What I have in mind instead is to create a 
simple way for you (and others) to provide the logos, in a way which can 
be packaged with TrustBar by whomever distributes it (maybe including 
you?).
> 
>>Furthermore, I just discussed this matter with folks from VeriSign, and
>>indeed they are very anxious to allow users to differentiate between
>>their different products (and levels of assurance). The best solution
>>may be to allow the CA to choose a `product` or `assurance level` logo
>>which TrustBar will display adjacent to the CA logo.
> 
> 
> I think for this to be useful it needs some sane defaults, and leaving it
> up to the CAs won't be the most useful imho, they could possibly overstate
> how much they really should be trusted. 
Well, notice that whatever they say, is just appended to the CA logo; so 
if your claims are too high you are hurting your own reputation. This is 
not too different than if we agree on a scale and somebody cheats. Of 
course, CAs may coordinate some common grades among them.

> Ideally (and I've said this a
> number of times to the mozilla news groups) we need more then binary
> security, the original design didn't eventuate how anyone thought it
> might, we have to deal with how things turned out not bury our heads in
> the sand and hoped they were better.
Well you know I agree.
... skip ...
> I'm getting a little side tracked, but what is needed is a way to quantify
> CAs, and more to the point, the practises that lead to issuing a
> certificate, how much checking is performed, or how little which ever is
> more rellivant. I've even seen some home brew CAs wanting to get their
> root certificates in browsers and they're not only doing no checking but
> issuing the private key to their users, I'd like to black list any
> certificate they issued.
Well, I hope you understand, that TrustBar is exactly about this - 
making CA brand visible and accountable. Indeed, if you tell us you 
don't trust a CA we'll warn you whenever a site uses cert from this bad 
CA. Isn't this what you want?
..skip...
>>What do you think (of the current TrustBar UI and of this possible
>>improvement)?
  > At present it could be extended a little to incorporate my suggestions
> without too much effort from what I've seen...
> 
> It comes across a certificate issued by a CA... in the defaults that root
> certificate according to the CPS the CA was auditted on says they require
> the person to front up to a police station and do an aferdavid out to make
> a sworn statement (with some police verification) they are who they say
> they are. I'd say this was due diligence and the root CA should be issued
> with a reasonable level of trust... On the other hand the same CA issues
> certificates from a different root certificate that only required email
> confirmation, I only expect to trust this certificate for things like
> webmail and smtp/imap etc, both are valid means to check verification, but
> the uses and amount of faith placed in the certificate should also be
> relivant, not simply ignored or written off as marketing and ignored by
> the security guys because they're too busy with their heads in the sand
> that one size fits all...
I'm not sure I understand what you suggest. We make the brand and cert 
`class` (as defined by the CA) visible - why and how could we do more?

Best, Amir
>

More information about the TrustBar mailing list