[WEB SECURITY] Improving Authentication on the Internet

Mitja Kolsek mitja.kolsek at acrossecurity.com
Thu May 12 05:21:53 EDT 2005


A very interesting paper, well done. What it reminded me of is a peculiar
practice some of our local organizations are implementing, including our
government: They don't use the default trusted CAs we all have in our
browsers, but rather use their own for issuing their own servers' certs. So
if you want to visit their sites via HTTPS, you are asked to first install
their root cert in your browser's trusted root cert store. Now, the
peculiarity: you download this root cert via an HTTP connection and you have
no way of verifying its authenticity. Mind you, some root cert download
sites do provide the cert details in cleartext as well, so you can compare
one untrusted piece of data with another untrusted piece of data :-)

I'm interested in knowing if others on this list have similar experiences in
their local environments. The way I see it, if someone "forces" you to
install a new trusted root cert, we need a process for verifying its
authenticity. One way would be to use transitivity and provide download of
newcert.cer via an HTTPS connection authenticating the site owner with an
already trusted root cert like Verisign or Thawte. Another would be for the
officials to provide - written and in person - the newcert.cer's fingerprint
to users at the time of users' enrollment, along with instructions for
newcert's validation upon download. Any other ideas?


> -----Original Message-----
> From: Gervase Markham [mailto:gerv at gerv.net] 
> Sent: 11. maj 2005 20:07
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Improving Authentication on the Internet
> On the 17th of this month, at the invitation of Comodo, the 
> major CAs and browser vendors (including mozilla.org) are 
> having a meeting in New York to discuss some of the issues 
> surrounding the future of SSL and trust on the Internet.
> As a way of working out my thinking on this, I've written a 
> paper called "Improving Authentication On The Internet":
> http://www.gerv.net/security/improving-authentication/
> It starts with the basics, mostly as a way to confirm that my 
> understanding of the current situation is correct. All 
> comments, both correcting my facts and giving alternative 
> views, are very welcome.
> Gerv
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List

More information about the websecurity mailing list