[cryptography] Diginotar Lessons Learned (long)
iang at iang.org
Wed Sep 7 10:14:57 EDT 2011
On 7/09/11 7:34 AM, Fredrik Henbjork wrote:
> Here's another gem related to the subject. In 2003 CAcert wished to have
> their root certificate added to Mozilla's browser, and in the resulting
> discussion in Bugzilla, Mozilla cryptodeveloper Nelson Bolyard had the
> following to say:
> "I have no opinion about the worthyness of the particular CA being
> proposed in this bug. I don't know who it is yet. But my question would be:
> Does webtrust "attest" to this CA?
That was a clear NO at that time, A WebTrust audit was never done. And
they had the same problem that Thawte had in those days, one guy with
everything in his head, and his sock draw.
But they got better! We can estimate progress from the DRC audit 
which is like a quality superset of WebTrust. 2003 to 2008 they didn't
meet that standard. By around 2009 they were in reasonable shape .
Some pluses, some minuses of course .
> I think that should be one of the criteria.
> PKI is about TRUST. All root CAs that are trusted for (say) SSL service
> are trusted EQUALLY for that service. If we let a single CA into mozilla's
> list of trusted CAs, and they do something that betrays the publics' trust,
> then there is a VERY REAL RISH that the public will lose ALL FAITH in
> the "security" (the lock icon) in mozilla and its derivatives.
Yes. This is a double edged sword. The idea is to make it seamless for
users, who don't understand. This is good, hard to argue with. It
works, sort of. But there are consequences.
On the one hand, all CAs fight to do the minimum they can; once in,
they can sell certs at lowest cost because their certs look just like
anyone elses. No differentiation or discrimination is possible
(marketing terms) because any increase in quality is not perceived by
Hence, the well-known race-to-the-bottom, which is a big factor in
On the other hand, persistent frustration on the part of the
regulator/vendor/user community has led to higher and greater and more
expensive barriers. The CAs have not fought this because it works for
them. So, this has led to entrenchement of the industry, and a deadlock
where all attention goes to more and more audit, and it has become even
more unlikely that architectural change is possible.
> We don't want that to happen. If that happens, mozilla's PKI becomes
> nothing more than a joke. If you want to see mozilla's PKI continue to
> be taken seriously, you will oppose allowing un attested CAs into
> mozilla's list of trusted root CAs."
> Given the recent CA stories, I can't help but smile at that comment...
Yes. I hope Nelson can see now that the seeds of his fears were sewn by
the very limitations he described, not by any particular CA or rejection
As James  pointed out, "Shades of Sarbannes Oxley." This is the same
thing that happened in the finance industry when Enron collapsed. Enron
lead directly to Sarbannes-Oxley, which all claimed would stop the
problem. Never again!
But it didn't, and in fact, it provided a blanket of complexity for the
next problem. Global financial crisis ... was in big part enabled by
the inability for banks and finance companies to assess their risks ...
and this was in part because governance was forced into compliance-more
by Sarbanes-Oxley. Which also provided them the plausibility and
"We did what you told us to do, look, here's our auditor's invoice!"
So what do we do now? We review the framework and double the work.
Claim it'll never happen again. And wait for the next blow-up.
Instead, we could reduce the overall barriers, and erect smarter
barriers. Push more work across to the users, push more failures onto
the users. Open up the market; allow CAs to brand themselves, and
allow them to increase their quality to the point where it works for
their users ... differentiation ... rather than force them to decrease
the quality to compete penny-wise for a commodity product.
Problem with this standard marketing & econ view is that ... all the
institutions are composed of geeks. It's greek. Mumble jumble. No,
this market is different, we can make it perfect, we got crypto! Got a
patch? Go speak to PKIX...
 Disclosure: I was the auditor that started and terminated the DRC
review. DRC is a rewrite (simply put) of WebTrust that was much better,
much more mid 00s instead of mid 90s. More aligned to the strength of
 But I terminated them because they couldn't meet DRC within the
resources ... they probably could have met WebTrust, again given the
The problem that CAcert faces now is that they've (arguably) caught up
to WebTrust, but now they face: WebTrust + Baseline Requirements +
Extended Valuation (possibly) + vendor review. Each of those is a
serious audit, with serious costs.
So the bar in terms of quality and quantity has been lifted. (Also they
face other issues.)
 If you are interested in the story, read "An Open Audit" in 95
 James, like myself, comes from a dark past of payment systems.
Which is why he knows how to apply lessons from finance across to other
More information about the cryptography