[cryptography] Math corrections

ianG iang at iang.org
Wed Sep 21 14:30:58 EDT 2011

Hi all,

On 22/09/11 02:30 AM, Arshad Noor wrote:
> On 09/18/2011 11:59 AM, Peter Gutmann wrote:
>> Arshad Noor<arshad.noor at strongauth.com>  writes:
>>> Just because you come across one compromised CA out of 100 in the 
>>> browser,
>>> does not imply that the remaining 99 are compromised (which is what 
>>> you are
>>> implying with your statement).
>> Since browser PKI uses universal implicit cross-certification, it is 
>> indeed
>> the case that if one CA is compromised, all are compromised.  So Ian is
>> correct in his assessment.
> I disagree, Peter.
> In the first place, as you know, browsers have a trust-store of unique
> self-signed TTP CA certificates; not cross-certified certificates.  All
> SSL/TLS connections between browsers and a site with an SSL certificate
> issued by one of those TTP CA's, involves a *direct* trust-chain.  A
> browser user (or manufacturer) always has the ability to delete any TTP
> CA certificate from their trust-store and sever the trust-chain, at
> will.  Notwithstanding the fact that most users don't know anything
> about trust-stores and TTP CA certificates, it does not change the fact
> that these are direct and independent trust-chains that can be severed
> at will.

How can one exercise will when one hasn't the understanding nor the 
tools?  What school of human behaviour is this from?

In contract terms, this doesn't work.  In tech terms, this doesn't 
work.  In UI terms, it's a dog.  In educational terms, it's a 
non-starter.  In crypto-science terms, it's a violation of Kherckhoffs' 
6th, which is now in its 128th year.

The only place it "works" is in a tiny enclave of academics who cluster 
at PKI conferences and the like, where they dream of a world in which 
users suddenly get knowledge injections in the arcania of certificate 
"trust" mechanics.  But, these academics don't carry the consequences of 
it being wrong.

> Secondly, if one CA is compromised, the only affected users are the ones
> who still have that CA's Root certificate in their trust-store and who
> happen to rely on a certificate issued by that CA (or its chain).  Any
> user that has deleted the compromised CA's certificate can continue to
> rely upon *other* TTP certificates/chains without worrying about the
> compromised CA's certificates. They have isolated the damage can move
> on.

So, we agree that the users who haven't done this are at risk?  Damage 
can ensue?  This is a dangerous situation?

Because the PKI academics have written this up in a so-complicated 
fashion that it is impenetrable, and because the vendors have 
universally agreed (conspired?) to hide this interface in the dark deep 
bottoms of their dialogs, this would constitute a failure of duty of care.

If the certificate needs to be removed for some real purpose, then we 
know it won't be.  And we can state with complete clarity why.  We can 
present your evidence as well as a dozen or more academically sound surveys.

If indeed your claim above is presented by a CA or vendor in court, this 
would be /prima facie/ evidence of gross (criminal) negligence [0].  
IMHO, but real lawyers feel free to add & correct.

> Thirdly, lets assume that the compromised CA has *explicitly* entered
> into a cross-certification agreement with one or more other TTP CAs.
> In such a situation, I admit that users who have removed the compromised
> CA's certificate from their browser, can still become victims of a site
> whose certificate was issued by the compromised CA, but whose website
> administrator chose to use cross-certified path instead of the direct
> path in their web-server's SSL configuration.  This will continue to
> validate as a trusted chain in the browser.  However, any TTP CA that
> has not revoked the compromised CA's (DigiNotar's) cross-certificate
> by now and publicly notified the browser community about such a
> revocation, has endangered their own business, much like DigiNotar.
> This act, and the fact that the user/browser-vendor can remove the
> compromised CA's certificate allows the rest of the internet community
> to continue to rely on SSL connections despite the explicit cross-
> certification.

Yes, thanks, underscores the case  :)

> Are there problems with PKI?  I have already said, undoubtedly.  But,
> these are "certificate manufacturing and distribution" problems that
> must be addressed.  They are not a fundamental weakness of PKI itself.
> As an analogy, let me mention that, when there is an outbreak of
> salmonella in - lets say broccoli - everybody recognizes that the
> tainting is caused, either in the manufacture or distribution of the
> broccoli.  It might be that one or more farms, or one or more
> distributors that is at fault.  While, in the short-term broccoli
> production might be stopped and/or recalled, rational people recognize
> that this is not a fundamental issue with broccoli itself, and do not
> go around claiming that all broccoli manufacturers and distributors
> are tainted or predicting that broccoli is doomed for the black-hole.

Ha.  So this works coz the public knows that a broccoli scare means 
"throw out your broccoli."  Consumers know what broccoli is.

Now substitute the word "broccoli" above with certificates.  Test on any 
10 users.  I rest my case, m'lud.

> One airplane might have fallen from the sky, gentlemen, but the sky is
> not falling down on our heads.
> Arshad Noor
> StrongAuth, Inc.
> P.S.  The use of the term "universal implicit cross-certification"
> only serves to add confusion to an already complex field; you are the
> only one that uses it (3 of the top 5 responses in a Google search
> of this term are from this thread; the remaining two come from your
> paper and presentation at IDTrust from some years ago).  It took me
> a while to realize that its just your term for "independent trust-
> chains" in the browser.  It might help the PKI community if we called
> a spade a spade.  Thank you.

It's a good term!  Add my use:  There is a universal implicit 
cross-certification in the secure browsing PKI, and the industry knows 
it, or should know it.

Indeed, we can show evidence of this in Chrome's CA pinning.


[0]   Gross or criminal negligence is that negligence found when they 
know they are wrong, or they should have known they are wrong.  "Or 
should know it" means that they have the experience and interest to know it.

More information about the cryptography mailing list