07 April 2011

Certificate Authority Model Is Br0ken

I was mildly surprised when I read in Bruce Schneier's Blog that the Comodo Group Issued Bogus SSL Certificates. Here is yet another example of a CA that doesn't even understand why it exists, and what security precautions it should take because of this.

I think that the most prescient observation I have ever seen written about the Internet's current manifestation of CAs was written by Matt Blaze, who wrote:
Commercial certificate authorities protect you from anyone from whom they are unwilling to take money.
Of course, in this particular case, Comodo Group was so eager to take money from people who wanted their stamp of approval that they partnered with various third-parties in order to issue more certs....and they never ensured that these third-parties implemented adequate security measures.

This NYT article also provides pretty good information.

Now a lot of this mess has ended up in the laps of browser manufacturers (Mozilla, Google, Opera, Microsoft, etc.). I feel badly for them, really, I do. I am involved with a project right now that works with things like root certificates, and handling things like certificate revocations is something that I am only beginning to have the time to investigate. This is a complicated area to work in...

No comments: