Re: [TLS] [certid] fyi: paper on compelled, certificate creation attack and applicable appliance

Daniel Kahn Gillmor <> Thu, 25 March 2010 19:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8C6B13A6928 for <>; Thu, 25 Mar 2010 12:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.842
X-Spam-Status: No, score=0.842 tagged_above=-999 required=5 tests=[AWL=0.397, BAYES_40=-0.185, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_LOW=-1, URI_NOVOWEL=0.5]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EEq8l+Mpx4PK for <>; Thu, 25 Mar 2010 12:34:23 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 77C843A6D6E for <>; Thu, 25 Mar 2010 12:33:40 -0700 (PDT)
Received: (qmail 36660 invoked from network); 25 Mar 2010 19:34:01 -0000
Received: from (HELO ? ( by with SMTP; 25 Mar 2010 19:34:01 -0000
Message-ID: <>
Date: Thu, 25 Mar 2010 15:33:39 -0400
From: Daniel Kahn Gillmor <>
User-Agent: Mozilla-Thunderbird (X11/20091109)
MIME-Version: 1.0
To: Marsh Ray <>
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D21739E9; url=
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enigCCB8B471EFF01EC624BBF5C0"
Cc: ArkanoiD <>,, =JeffH <>
Subject: Re: [TLS] [certid] fyi: paper on compelled, certificate creation attack and applicable appliance
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Mar 2010 19:34:24 -0000

On 03/25/2010 01:40 PM, Marsh Ray wrote:
> The only reason that the world isn't up-in-arms about it is that 59% of
> PCs are pwned by malware already, making the slightly more complicated
> mitm attack unnecessary.
> However, there are important uses of SSL/TLS other than end user web
> browsers. These are probably better off with just the minimal number of
> trusted roots on the clients. But if you're going to the trouble of
> reconfiguring your clients anyway, why not just set up your own private CA?

Running your own X.509 CA works if your goal is only
intra-organizational communication.  As soon as you want to federate
communication with external organizations, running your own CA is
insufficient with X.509, because the model only allows a single
certifier per certificate.

>> There is nothing we can do besides examining chain of trust manually
>> and watching for certificate changes.
> We could implement our protocols such that the remote peer is required
> to satisfy multiple chains of trust.
> When a chain is only as strong as its weakest link, it's best to have
> several of them (in a redundant configuration).

This is possible today using out-of-band OpenPGP certification, which
permits multiple certifiers per certificate.

We currently have it working bidirectionally for openssh and
unidirectionally (firefox browsers can authenticate servers) for https.
 More is coming soon, and feedback is welcome, particularly from folks
who are interested in TLS mechanisms.

>> The TOFU technology described
>> there is quite obvious, i always wondered why ssh has it and browsers
>> do not.
> In theory, SSH's approach is inferior to SSL's PKI. In practice it's not
> inferior only to the extent that the user is good at scrutinizing the
> new keys he gets presented.
> If you want that behavior in a web browser, just delete all your trusted
> root certs and add a persistent explicit trust whenever you see a cert
> the first time. (I have tried this in Firefox)

I believe you can do this system-wide with firefox and other
mozilla-based browsers by removing the nssckbi shared library
(/usr/lib/nss/ on debian, a .dll someplace on windows),
which provides the pre-defined list of root CAs.