[cryptography] Let's go back to the beginning on this
ben at links.org
Fri Sep 16 12:33:26 EDT 2011
On Fri, Sep 16, 2011 at 5:21 PM, Marsh Ray <marsh at extendedsubset.com> wrote:
> On 09/16/2011 03:58 AM, Ben Laurie wrote:
>> On Fri, Sep 16, 2011 at 8:57 AM, Peter Gutmann
>> <pgut001 at cs.auckland.ac.nz> wrote:
>>> Marsh Ray<marsh at extendedsubset.com> writes:
>>> The CAs can each fail on you independently. Each one is a potential
>>>> link in the chain that the Relying Party's security hangs from. So their
>>>> reliability statistics multiply:
>>>> one CA: 0.99 = 99% reliability
>>>> two CAs: 0.99*0.99 = 98% reliability
>>>> 100 CAs: 0.99**100 = 37% reliability
>>> I realise that this is playing with numbers to some extent (i.e. we don't
>>> what the true reliability figure actually is), but once you take it out
>>> to what
>>> we currently have in browsers:
>> We could have a stab at it. A = Integral of number of CAs in trusted
>> root/number of years CAs have been around = ? (I'd guess 100?).
> This data could probably be collected quite accurately with some code
> B = Total failures/number of years = ? (1, maybe?)
> Difficult to know quantitatively, even about the present.
> Iran may have the dubious distinction of the first CA-issued MitM to have
> failed. I don't believe it was the first to have occurred, but up until very
> recently, some asserted that it had never happened.
We can count the ones we know about.
> So failure rate = A/B = 1% p.a.
>> giving reliability of 99% p.a.. What do you know?
> It's got to be worse than that because we know that for several months in
> 2011 there was an attacker with the who could mint himself whatever certs he
> wanted from Comodo and DigiNotar (he claims to still have this capability
> from several others). As far as I can tell, my Android phone is still
> vulnerable to his *.*.com certificate. Given that SSL has only been around
> about 16 years, the SSL-PKI cannot be more than 97% reliable.
> Anyone got better numbers?
> There are some complicating factors that make it difficult for this
> reliability analysis to get better than a back-of-the-envelope upper bound.
A sufficiently low upper bound is convincing enough :-)
> * The actual number of organizations knowing private keys with the ability
> to sign something the user's browser will trust is unknown. Yes, that's
> right, CAs refuse to disclose how many and to whom sub-CAs have been issued.
> We only get a lower bound from the SSL Observatory.
> * A 'failure' of a CA is probably often perceived by a small set, or only
> one, user. Presumably some of these sub-CAs have been loaded into SSL
> intercepting firewalls (e.g., BlueCoat devices) by corporations, this is one
> of the arguments given for issuance. Whether or not you believe that that is
> legitimate, it certainly seems plausible that a guest on the network could
> be intercepted without prior informed consent.
> * The degree of independence between the trusted root CAs and their sub-CAs
> is not well understood (the 150 vs 600 vs 1500 debate).
> * The issuance of a cert, a user's reliance on a cert, successful and
> failed attacks on users, attacks on CAs, etc. are discrete events and may be
> better modeled stochastically. Bayesian methods may be better at dealing
> with the presence of the large unknowns. (Alas my own Bayes-fu and Markov-fu
> are not presently up to the challenge).
> Whether you arrive at 37% or 99% reliable, any honest analysis will show
> the current system is ineffective against a significant set of adversaries.
I agree, but it would be nice to arrive at a sufficiently scary number with
> - Marsh
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography