[cryptography] Diginotar Lessons Learned (long)

Ian G iang at iang.org
Wed Sep 7 10:14:57 EDT 2011

On 7/09/11 7:34 AM, Fredrik Henbjork wrote:

> Here's another gem related to the subject. In 2003 CAcert wished to have
> their root certificate added to Mozilla's browser, and in the resulting
> discussion in Bugzilla, Mozilla cryptodeveloper Nelson Bolyard had the
> following to say:
> "I have no opinion about the worthyness of the particular CA being
> proposed in this bug.  I don't know who it is yet.  But my question would be:
> Does webtrust "attest" to this CA?

That was a clear NO at that time, A WebTrust audit was never done.  And 
they had the same problem that Thawte had in those days, one guy with 
everything in his head, and his sock draw.

But they got better!  We can estimate progress from the DRC audit [1] 
which is like a quality superset of WebTrust.  2003 to 2008 they didn't 
meet that standard.  By around 2009 they were in reasonable shape [2]. 
Some pluses, some minuses of course [3].

> I think that should be one of the criteria.
> PKI is about TRUST.  All root CAs that are trusted for (say) SSL service
> are trusted EQUALLY for that service.  If we let a single CA into mozilla's
> list of trusted CAs, and they do something that betrays the publics' trust,
> then there is a VERY REAL RISH that the public will lose ALL FAITH in
> the "security" (the lock icon) in mozilla and its derivatives.

Yes.  This is a double edged sword.  The idea is to make it seamless for 
users, who don't understand.  This is good, hard to argue with.  It 
works, sort of.  But there are consequences.

On the one hand, all CAs fight to do the minimum they can;  once in, 
they can sell certs at lowest cost because their certs look just like 
anyone elses.  No differentiation or discrimination is possible 
(marketing terms) because any increase in quality is not perceived by 
the market.

Hence, the well-known race-to-the-bottom, which is a big factor in 

On the other hand, persistent frustration on the part of the 
regulator/vendor/user community has led to higher and greater and more 
expensive barriers.  The CAs have not fought this because it works for 
them.  So, this has led to entrenchement of the industry, and a deadlock 
where all attention goes to more and more audit, and it has become even 
more unlikely that architectural change is possible.

> We don't want that to happen.  If that happens,  mozilla's PKI becomes
> nothing more than a joke.   If you want to see mozilla's PKI continue to
> be taken seriously, you will oppose allowing un attested CAs into
> mozilla's list of trusted root CAs."
> https://bugzilla.mozilla.org/show_bug.cgi?id=215243

> Given the recent CA stories, I can't help but smile at that comment...

Yes.  I hope Nelson can see now that the seeds of his fears were sewn by 
the very limitations he described, not by any particular CA or rejection 
of same.

As James [4] pointed out, "Shades of Sarbannes Oxley."  This is the same 
thing that happened in the finance industry when Enron collapsed.  Enron 
lead directly to Sarbannes-Oxley, which all claimed would stop the 
problem.  Never again!

But it didn't, and in fact, it provided a blanket of complexity for the 
next problem.  Global financial crisis ... was in big part enabled by 
the inability for banks and finance companies to assess their risks ... 
and this was in part because governance was forced into compliance-more 
by Sarbanes-Oxley.  Which also provided them the plausibility and 
liability cover.

"We did what you told us to do, look, here's our auditor's invoice!"

So what do we do now?  We review the framework and double the work. 
Claim it'll never happen again.  And wait for the next blow-up.

Instead, we could reduce the overall barriers, and erect smarter 
barriers.  Push more work across to the users, push more failures onto 
the users.  Open up the market;  allow CAs to brand themselves, and 
allow them to increase their quality to the point where it works for 
their users ... differentiation ... rather than force them to decrease 
the quality to compete penny-wise for a commodity product.

Problem with this standard marketing & econ view is that ... all the 
institutions are composed of geeks.  It's greek.  Mumble jumble.  No, 
this market is different, we can make it perfect, we got crypto!  Got a 
patch?  Go speak to PKIX...


[1] Disclosure:  I was the auditor that started and terminated the DRC 
review.  DRC is a rewrite (simply put) of WebTrust that was much better, 
much more mid 00s instead of mid 90s.  More aligned to the strength of 
EV, approximately.

[2] But I terminated them because they couldn't meet DRC within the 
resources ... they probably could have met WebTrust, again given the 

The problem that CAcert faces now is that they've (arguably) caught up 
to WebTrust, but now they face:  WebTrust + Baseline Requirements + 
Extended Valuation (possibly) + vendor review.  Each of those is a 
serious audit, with serious costs.

So the bar in terms of quality and quantity has been lifted.  (Also they 
face other issues.)

[3] If you are interested in the story, read "An Open Audit" in 95 
pages.... http://iang.org/papers/open_audit_lisa.html

[4] James, like myself, comes from a dark past of payment systems. 
Which is why he knows how to apply lessons from finance across to other 
security contexts.

More information about the cryptography mailing list