[cryptography] Let's go back to the beginning on this

Marsh Ray marsh at extendedsubset.com
Thu Sep 15 14:16:04 EDT 2011

On 09/15/2011 12:15 PM, Ian G wrote:
> Trust in a CA might be more like 99%.
> Now, if we have a 1% untrustworthy rating for a CA, what happens when
> we have 100 CAs?
> Well, untrust is additive (at least). We require to trust all the
> CAs. So we have a 100% untrustworthy rating for any system of 100 CAs
> or more.

But that gets nonsensical when you add the 101st CA.

The CAs can each fail on you independently. Each one is a potential
weakest link in the chain that the Relying Party's security hangs from.
So their reliability statistics multiply:

one CA:   0.99      = 99% reliability
two CAs:  0.99*0.99 = 98% reliability
100 CAs:  0.99**100 = 37% reliability

I don't know many people who would consider a critical system that is
only 37% reliable to be meaningfully better than "100% untrustworthy"

> The empirical numbers show that: out of 60 or so CAs and 600 sub-CAs,
> around 4 were breached by that one attacker.

It's not believable that the breaches we've recently heard about are the
only times a commonly "trusted root CA" or one of their sub-CAs has
acted in a way that reduced the effective security of a Relying Party.

> So, what to do? When the entire system is untrustworthy, at some
> modelled level?

We'll figure something out, but it will take time.

> Do we try harder, Sarbanes-Oxley style?

Even if you were to implement better controls to append a few more '9's
on the reliability statistic of every CA, the exponential decay in the
reliability as experienced by the RP will still dominate. The current
structure (of having more than a handful of trusted roots) simply cannot
be made to produce a system that is credibly secure for more than
low-value liability-limited transactions.

> Or, stop using the word trust?


The word 'trust' meant something useful when it was used to describe a
"web of trust" between PGP-using cipherpunks. Those models seem to work
best when the parties are intelligent actors who each understand the model!

But the word has a lot of overloaded meanings. I met a man who had just
completed his PhD dissertation on the meanings of this word 'trust'.
Worst of all, normal people seem to use it as something of the opposite
meaning of what is meant by cryptographic trust.

The problem we're facing today with the browser-based HTTPS system has
some important differences, too. Nearly all other authentication systems
are designed primarily for the purpose of an expertly implemented server
authenticating a user (like password logins) or of a conscientious users
authenticating a user (like PGP). If authenticating the server is done
at all, it is usually considered a detail or an afterthought "to resist
man-in-the-middle attacks" rather than something fundamental. The HTTPS
system is actually a very rare and difficult case: a completely amateur 
user is expected to strongly authenticate the identity of the server, 
with assistance from his client software.

> Or?

Zooko said something the other day that has really stuck with me. I
can't get it out of my head, I hope he will give us a post to explain it

"I find the word "trust" confuses more than it communicates. Try Mark S.
Miller's "relies on" instead!"

The Relying Party (the browser user) *relies on* all CAs in his client
software's "trusted root store". What does he rely on them to do? He
relies on them to refuse to issue a cert that could reduce his effective
security. When a CA issues sub-CAs, the user relies on them too.

It's a far more precise statement of the reality, one which saves us
from the fallacy of "the user trusts the CA therefore whatever the CA
issues is trusted by definition and the user has no place to complain".

Is this user's reliance dependency transitive? -> Yes, obviously.

Is "trust" transitive? -> Deep philosophical discussion.

I think it also makes more clear the absurdity of the present situation.

- Marsh

More information about the cryptography mailing list