Today, there was yet another reminder that there are problems with our current PKI system.
Background
For those not sure what I am talking about, “PKI” stands for “Public Key Infrastructure.” It is a term used to refer to the system of X.509 certificates, often called “security certificates” such as are used for web browsing and other functions.
The way it works, the “secure” web site uses encryption, and presents a certificate that is supposed to guarantee the authenticity of the site. A client, such as you when you are browsing, checks the validity of the certificate by verifying the signature that certifies the certificate. But, in order for that to work, you have to trust the signer of the certificate.
What has happened, in the recent event, is that supposedly trustworthy certifier Commodo has signed (perhaps been tricked into signing) some certificates that were created with fraudulent intent. So Mozilla has seen fit to work around this problem by releasing a new firefox version that specifically blacklists those fraudulent certificates.
The problem with PKI
The current PKI system is based on a hierarchical trust model. At my place of employment, a hierarchical model works well. I trust the top management. The top management delegates some trusted functions to lower level management. So if I see trust assigned properly by lower level management, I know that it was implicitly approved by top management.
The real world doesn’t work that way. There are no top authorities from whom trust can flow. But PKI assumes that there are, and in order for the web to work with current protocols, we pretty much agree to trust those at the top who have appointed themselves as trustworthy.
To see how the real world works, we need to get out of the computing world. We often need to document the validity of transactions such as applications for wedding licenses, loan applications, drivers license applications, etc. We document their validity by having them signed by several witnesses. Sometime, these witnesses are public notaries, though that is not always required. The “web of trust” used by PGP encryption is far closer to how we handle these trust questions in ordinary non-digital life.
An example
You buy something online at FlyByNight.Thieves.com, and pay for it with your VISA card. The site use the current PKI security. It turns out that you were ripped off by that site. So you complain to the CA (certification authority) that signed their certificate. But that CA tells you “tough; we only guarantee that the site really is FlyByNight.Thieves.com. We don’t guarantee that they are honest.”
That’s how it currently works. Here’s how it should work. Your bank provides you with your VISA card, and it also provides you with an electronic version of your VISA card. The electronic VISA card is a certificate, signed by your bank or by VISA international. When you go to purchase online, you use your electronic VISA card. You sign the transaction, using the public/private key pair provided with the electonic VISA (which makes forging an electronic card rather difficult). And you check that the merchant’s security certificate is also signed by VISA international. This checking would be done automatically by the software. Now, if you are ripped off, you go to your bank. They have certified the web site as trusted to accept VISA transactions. You have a trust relation with your bank, and the bank makes sure that you are not ripped off.
We cannot do that with the current PKI. For it would require that a web site have its certificate signed by VISA, by Discover Card, by American Express, by Master Card, and by similar groups. The current PKI system allows for only a single signature on a certificate (unlike the PGP encryption system, which allows multiple signers).
The current system does a reasonably good job of preventing “Man in the Middle” attacks. But we should expect more than that from an internet security system.
The Heretical Philosopher 