Web of Trust (a revolution)

Tue Mar 31 11:27:08 UTC 2009

On Monday 30 March 2009 20:12:45 Bruno Wolff III wrote:
> On Mon, Mar 30, 2009 at 13:46:02 -0400,
>
>   Todd Denniston <Todd.Denniston at ssa.crane.navy.mil> wrote:
> > i.e., sure all the root CA's that the browser producers want to include
> > can come in, but they should have trust DBs that allow each user to tick:
> > * Never trust this key. (and by extension anything it has signed. Perhaps
> > with a pop up indicating 'the sig is ok, according to bla, but bla is a
> > known idiot.')
> > * Marginal trust. (pop up something saying 'the sig is ok, according to
> > bla, but you are uncomfortable with bla.')
> > * Fully trust. (operate as CA's in web browsers since they started
> > getting CA's.)
> >
> > And by default (as released by the browser producers) the keys should be
> > set to either Never or Marginal.
>
> I'd rather see more of a web of trust type model. Right now you can only
> have one chain of certificates. So you can't have a cert signed by multiple
> roots.

Ought to be possible for people to visit companies' offices and sign their keys, 
and add them to the "web of trust" as per PGP / GPG keys. No idea if / how that 
should be done, in practice, though.

> There is nothing keeping track of the cert you previously saw for a site
> (unless you remove all of the CA certs) so that you get warned when it
> changes. (At least if the new cert isn't signed by the old one.)

That could, perhaps should, be done by the browser. Ultimately, DNSSEC needs to 
used everywhere, and the keys for a domain stored in the DNS alongside the host 
records (A, AAAA, CNAME). SSL keys, I mean, for services. That's the only way 
to do it (although it still doesn't prevent a domain being "hijacked" due to 
inattentive registrars allowing spurious transfers). 

> CAs that charge extra in order to sign certs that have flag set to
> indicate that they can sign other certs in subdomains should be boycotted.

This is actually a rotten idea. If you need internal testing systems, or to 
dynamically create them as needed, or you want to run shared hosting using SSL 
(as we do for internal testing, since our application requires SSL enabled) 
then being able to sign your own sub-domains and / or have a wildcard are 
pretty much essential.

> Sites with self signed certs that prevent passive snooping get treated as
> the same as going to a site without ssl and not triggering all sorts of
> inappropriate warnings that look scary and make people jump through hoops
> to bypass them.

That's a separate issue; it's a pain, but if a "root" CA updates their keys at 
any point, older browsers / operating systems may well experience a period 
of "messages popping up telling me they can't verify the certificate" ...