EV guidelines

classic Classic list List threaded Threaded
109 messages Options
1234 ... 6
Reply | Threaded
Open this post in threaded view
|

EV guidelines

Ben Bucksch
Followup-To m.d.security

Basics: SSL certificates are supposed to ensure the identity of the one
you talk to. One reason is to make the crypto meaningful (a MITM attack
is still possible with SSL, if the middleman uses his own cert and the
client accepts it as real). The other reason is to connect online
business to real world business - if you buy at a store, and give your
credit card data, you want to know it's not going to Russia, but to a
real company, and that you can sue them, if they don't deliver.
Note that SSL certificates say nothing about the trustworthiness or
similar, just verify identity.

Problem: GeoTrust and a few other companies started selling cheap
certificates which are issued automatically (no human involved) and only
check whether the applicant has control over the domain (or email
address) that the certificate is to be issued for. These are called
"domain control verification" or DV certs. The "holder's name" field in
the certificate does not get verified *at all* and is thus useless with
these certs - it either equals domain name or can be simply lying,
despite being signed by the CA. Given that, these new cert types pose a
significant problem to business on the web, and make phisher's life easy
(if phishers even bother with SSL or certs).

EV solution by the "CA/Browser Forum": A bunch of CAs came up with a
proposal of a new cert standard. Mainly, it mandates the checks that the
CA has to do to verify the certificate holder. They are intended to be
sold to high-profile sites like eBay.com, and cost $1000/year upwards.
So, one obvious reason for EV is that CAs want to charge more money from
the customers that make a lot of money on the web. It does increase the
level of vetting substantially, and it's definitely a huge improvement
over status quo. So, browser and browser users also gain from it. For
Microsoft, it's actually part of an anti-phishing initiate, MSIE was
supposed to make the URLbar green for some sites, and EV was one
mandatory criteria for that (there are other criteria as well, e.g.
anti-phishing blacklists etc.).

The "CA/Browser Forum" consists out of all major browser vendors,
including Microsoft, Mozilla Foundation, KDE (Konqueror), and Opera
(Apple is missing). Most of the big Cas are on it as well.
The current guidelines are at
<http://www.cabforum.org/EV_Certificate_Guidelines.pdf>. It's 70-100
pages in lawyer language.


My comments:

Don't be followed by the language and length, though. "Qualified
Independent Information Sources" could probably simply be a phonebook,
and a "site audit" is a clerk looking at the sign on the street and
peeking in the lobby. That's not what *I* would call an "audit".

The "phone number verification" happens by calling the number and seeing
who answers (Me at 0900-123456: "Microsoft, how can I help you?")
(16(b)(2)(A)+(C)). So, I could apply as Microsoft, supply them my
number, answer as Microsoft, and that's the verification. To top it,
this number can then be used to verify the signature, with "a response
from someone who identifies themselves as such person confirming that
he/she did sign the applicable document". Maybe I have overlooked
something, but I could give them the address of eBay, or my address with
an eBay sign, and *my* phone number, sign the doc, and then when they
call me, greet with "Ben Bucksch of eBay speaking" and confirm that I am
a "Contract Signer" who is allowed to represent eBay and I did indeed
sign the doc. huh?

This whole thing has lots of loopholes. Given the experience and market
pressures, we have to assume that the CAs use the absolute minimum and
cheapest standards that still pass the guidelines, and they'll automate
as much as possible.

Also, there are really heavy statements in there, e.g. the liability
(37(a); see also
<https://financialcryptography.com/mt/archives/000862.html>: If the CA
followes the EV guidelines and the user gets ripped off, the CA is not
liable at all - be it due to hole in the guidelines or other reasons.
Even worse, though, if the CA *fails* to follow the guidelines, and the
user gets ripped of *because of that*, the liability of the CA is
limited to $2000 - not even per case, per cert/CA customer. Even a
single normal phishing incident is easily higher than that. That's
particularly sobering considering that a cert *costs* $1000-2000 - that
means I could set up a CA and sell certs to everybody including the
mafia and not verify certs *at all*, and even pay all liability (per EV
guideline doc) and still make a profit for my few valid customers.
Sorry, how does that help users *at all*? IMHO, this should be backed by
$10-100 million insurances - per incident. Even an average $100 UPS
comes with $100,000 insurances.


My alternative proposal:
(most important part of posting)

We need to connect online business with real world business. I want to
have somebody to sue - who won't vanish when poked at. And I want that
the info in the cert is actually correct.

I really thing that every CA-issued certificate must be verified using
the following steps:

   1. Using the official state register of companies to verify company
      name and representing natural person
   2. Acquiring written signature (original) of that person
   3. Checking the signature against the ID card / passport of that person

This, and pretty much only this, will ensure that the card holder really
is who he claims to be, in real life, as seen by the government and
courts. Thus, before EV, I assumed that the above is performed for the
$100/year certs.

It should be cheap enough, *esp.* so for $1000/year EV certs. In
Germany, if you want to mail-rent (Netflix-alike) 18+ movies (including
Van Helsing), you have to pass harder verification steps than EV. You
actually have to walk to the post office, which has a service to verify
your identity card and send the result back to the requester. It costs
10 Eur, once. In fact, my grocery store not only asks for my signature
for every purchase, they even double-check the signature against my ID
card every time! (Apart from the people who already know me.) If a
grocery store clerk can do it for a $10 purchase, a CA can do it for a
$1000/year cert which is backing up $ x00 million business for tens of
thousands of users.

People have said that not every US citizen has a passport. But they can
get one. This is about ensuring something to users, after all.

Note that I think that natural persons and small companies should also
be able to get an EV cert, from the start.


UI proposal:

We could e.g. then show the cert holder name next to the domain name in
the urlbar, so that the real world name is a trust root, in addition to
the domain.

That would be something most users can more easily relate to than the
domain name system, which is logical, but literally backwards.
However, the real world company name may then be just as much a phishing
target as the domain name is now. We'll not only have international
character sets (compare IDN), which we can't easily escape from as we
did with domains, but there'll be another class of attack of similar
seeming company names, e.g. is Shell Books a subsidary of Shell Oil
Company or not or is "e Bay Auctioners, Inc." a part of eBay?


UI: Green urlbar, as maybe done by MSIE:

http://it.slashdot.org/article.pl?sid=07/01/26/1325228

> /"Stanford University and Microsoft Research have published a study
> that claims that the new Extended Validation SSL Certificates in IE7
> are ineffective <http://www.usablesecurity.org/papers/jackson.pdf>
> (PDF). The study, based on user testing, found that EV certificates
> don't improve users' ability to detect attacks, that the interface can
> be spoofed, and that training users actually decreases their ability
> to detect attacks. The study will be presented at Usable Security 2007
> next month, which is a little late now that the new certificates are
> already being issued.
> <http://it.slashdot.org/article.pl?sid=07/01/13/1615213&tid=172>"/

Study done in Sept 2006 and I found the setup (training etc.) highly
questionable, but the only conclusion one can draw is that the green bar
increased people's trust in websites - ironically real and fraudulent
alike! (no matter if green bar or not)

So, if one can believe the study, the green bar is a really bad idea.

--
When responding via mail, please remove the ".news" from the email address.

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Ben Bucksch
An alternative idea, tweaking the business model: Let's say we managed
to make CAs liable for any business that goes wrong and it cannot be
sorted out with the cert holder, either because he cannot be reached or
sued or the company cannot pay the money that the court ordered it to.
Then, suddenly, the CAs have very strong incentive to be checking very
well, including financial records, and are able to balance the checking
costs vs. damage themselves. In *that* case, it would actually make
sense to also show the CAs name to the user, because the CA provides
actual value/security for the user.

If the goal is to really improve the reputation of online business
substantially, we could go even further.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

heikki
In reply to this post by Ben Bucksch
Ben Bucksch wrote:
> People have said that not every US citizen has a passport. But they can
> get one. This is about ensuring something to users, after all.

Actually, several million US citizens can not get a passport. I can't
find the actual article I read, but I saw it linked from reddit or digg
or some such in the last week or so. However, one example I found was if
you are more than $5000 behind in child support payments:
http://www.metnews.com/articles/euni022502.htm. I am pretty sure these
people can still start companies.

--
  Heikki Toivonen
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Ben Bucksch
Heikki Toivonen wrote:
> Actually, several million US citizens can not get a passport. I can't
> find the actual article I read, but I saw it linked from reddit or digg
> or some such in the last week or so. However, one example I found was if
> you are more than $5000 behind in child support payments:
> http://www.metnews.com/articles/euni022502.htm. I am pretty sure these
> people can still start companies.

Are that people we want to give high assurance certs to?

Somebody being convicted for refusing to sing the national hymn in
school and then not being allowed to get a passport due to being a
"criminal" is one thing (I don't think that happens in the US, even
former criminals can get a passport). But somebody not fulfilling
financial duties is another, that actually is kind-of relevant.

And it's not like we'll require EV to set up a website or something.

Again, we need to ensure something to users. If people didn't bother to
get passports, and now can't get one due to some strange US laws, and
now want to be the CEO of a company, and want to get EV, they may be out
of luck. Note that it's only the CEO *or* other registered
representative (and maybe admin, depends on scheme) who needs to provide
the passport.

--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Florian Weimer
In reply to this post by Ben Bucksch
* Ben Bucksch:

> We need to connect online business with real world business. I want to
> have somebody to sue - who won't vanish when poked at. And I want that
> the info in the cert is actually correct.
>
> I really thing that every CA-issued certificate must be verified using
> the following steps:
>
>   1. Using the official state register of companies to verify company
>      name and representing natural person

I don't think the register of companies is useful for this purpose.
Anyone can get on it.

>   2. Acquiring written signature (original) of that person

Not very useful in itself.

>   3. Checking the signature against the ID card / passport of that person

Good fake passports are usually cheaper than government-issued ones.

> This, and pretty much only this, will ensure that the card holder
> really is who he claims to be, in real life, as seen by the government
> and courts. Thus, before EV, I assumed that the above is performed for
> the $100/year certs.

Part of the reason for the price drop was that there were so few
impersonation attacks against CAs.  Experience tells that there is
close to zero risk for the CA, so it does not make sense to spend
money on better checks.  There is simply no liability you need to
shift.  I don't see why this is going to change with EV certificates.

And since there are so few attacks, we haven't got a good threat
model, either.

Personally, I think that in order to make a difference, EV
certificates must verify not only that the certificate holder is in
control of embedded domain names (the usual EV CPS is basically
equivalent to domain-control certificates in this area), but also that
the certificate holder has got all the relevant trademark rights.
Wildcard certificates would probably have to go, too.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Gervase Markham
In reply to this post by Ben Bucksch
Ben,

Some comments on your post. Please understand that I'm not being
defensive about EV, or claiming that it's perfect - I just want to test
your arguments a little bit.

Ben Bucksch wrote:
> EV solution by the "CA/Browser Forum": A bunch of CAs came up with a
> proposal of a new cert standard. Mainly, it mandates the checks that the
> CA has to do to verify the certificate holder. They are intended to be
> sold to high-profile sites like eBay.com, and cost $1000/year upwards.

Just to be clear: They are not _intended_ to cost $1000/year upwards;
the CAB Forum had no discussions on and makes no mandates about pricing.
(That would fall foul of antitrust law.) However, that seems to have
been the average price at which CAs have launched the new certs.

> Don't be followed by the language and length, though. "Qualified
> Independent Information Sources" could probably simply be a phonebook,
> and a "site audit" is a clerk looking at the sign on the street and
> peeking in the lobby. That's not what *I* would call an "audit".

Right. But how many phishers have an office with a street sign saying
"eBay" and a lobby?

> The "phone number verification" happens by calling the number and seeing
> who answers (Me at 0900-123456: "Microsoft, how can I help you?")
> (16(b)(2)(A)+(C)). So, I could apply as Microsoft, supply them my
> number, answer as Microsoft, and that's the verification.

Except you can't, because there won't be any information sources which
confirm that your number belongs to Microsoft. Because it doesn't.

> To top it,
> this number can then be used to verify the signature, with "a response
> from someone who identifies themselves as such person confirming that
> he/she did sign the applicable document".

I think you misunderstand the purpose of this step. It's to make sure
that a rogue employee doesn't apply for a certificate using the name of
someone else at the company who would be authorised to make the
application.

> Maybe I have overlooked
> something, but I could give them the address of eBay, or my address with
> an eBay sign,

I don't think any information source would confirm that your address
belonged to eBay.

> This whole thing has lots of loopholes. Given the experience and market
> pressures, we have to assume that the CAs use the absolute minimum and
> cheapest standards that still pass the guidelines, and they'll automate
> as much as possible.

That's certainly true. However, it's also true that the advantage of a
written standard is that it can be updated in response to new threats.

So if, for example, someone gets an EV cert and uses it for phishing, we
can analyse how they did it and tighten up the guidelines to close the
loophole. With the previous, different-with-every-CA, ad-hoc procedures,
that sort of thing wouldn't have been possible.

> Also, there are really heavy statements in there, e.g. the liability
> (37(a); see also
> <https://financialcryptography.com/mt/archives/000862.html>: If the CA
> followes the EV guidelines and the user gets ripped off, the CA is not
> liable at all - be it due to hole in the guidelines or other reasons.

Is this a change from how things work currently?

> Even worse, though, if the CA *fails* to follow the guidelines, and the
> user gets ripped of *because of that*, the liability of the CA is
> limited to $2000 - not even per case, per cert/CA customer.

it says "$2000 per Subscriber or Relying Party per EV Certificate". This
means that if ten people are ripped off, they can claim $2000 each.

However, I agree that this is a little bit low.

> Even a
> single normal phishing incident is easily higher than that. That's
> particularly sobering considering that a cert *costs* $1000-2000 - that
> means I could set up a CA and sell certs to everybody including the
> mafia and not verify certs *at all*,

Except that you wouldn't pass the Webtrust EV audit and no browsers
would EV-enable your root (if it even got in in the first place).

> We need to connect online business with real world business. I want to
> have somebody to sue - who won't vanish when poked at. And I want that
> the info in the cert is actually correct.
>
> I really thing that every CA-issued certificate must be verified using
> the following steps:

Just to check: you mean _every_ CA-issued certificate? If so, you need
to propose a way to get from where we are now to the place you want to be.

Say we wrote our own guidelines, and said to all the CAs "unless every
cert you issue meets these, we'll yank your root". Who do you think
would blink first?

>    1. Using the official state register of companies to verify company
>       name and representing natural person

What about issuing certs to people or organisations which aren't companies?

What about countries where there is no such register, or it's unreliable?

>    2. Acquiring written signature (original) of that person
>    3. Checking the signature against the ID card / passport of that person

One draft of a precursor document to the EV guidelines included a
requirement for a site visit, and that you had to meet up with the
applicant and take a photo of them with their government issued ID, and
record the number thereon. I still think this was a great idea, but
unfortunately I was not in a majority.

> This, and pretty much only this, will ensure that the card holder really
> is who he claims to be, in real life, as seen by the government and
> courts. Thus, before EV, I assumed that the above is performed for the
> $100/year certs.

Really? There's no way any CA could make money doing this at $100 a
cert. In the US, there are networks of companies which will do site
visits and this sort of verification for you, but in other countries,
there aren't. Such a visit would cost several hundred dollars to have
performed.

> Note that I think that natural persons and small companies should also
> be able to get an EV cert, from the start.

But then how can your step 1), above, work?

> We could e.g. then show the cert holder name next to the domain name in
> the urlbar, so that the real world name is a trust root, in addition to
> the domain.

Their legal business name? Or their "trading as" name? Or the real name
of the person at the company who made the application?

> However, the real world company name may then be just as much a phishing
> target as the domain name is now. We'll not only have international
> character sets (compare IDN), which we can't easily escape from as we
> did with domains, but there'll be another class of attack of similar
> seeming company names, e.g. is Shell Books a subsidary of Shell Oil
> Company or not or is "e Bay Auctioners, Inc." a part of eBay?

Indeed. There's no substitute for a pair of human eyes on each
application - which I believe EV requires (section 24).

Gerv
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Duane-3
In reply to this post by Florian Weimer
Florian Weimer wrote:

> Personally, I think that in order to make a difference, EV
> certificates must verify not only that the certificate holder is in
> control of embedded domain names (the usual EV CPS is basically
> equivalent to domain-control certificates in this area), but also that
> the certificate holder has got all the relevant trademark rights.
> Wildcard certificates would probably have to go, too.

Certificates with subjectAltName extensions should be able to replace
wild card certificates, the question is what checks should be applied to
hostnames?

Most banks and other large entities have a list of hostnames as long as
my arm for load balancing and other valid reasons, most often look
deceptive in my opinion, and almost phishing like in some cases.

--

Best regards,
 Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP

"In the long run the pessimist may be proved right,
    but the optimist has a better time on the trip."
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Ben Bucksch
In reply to this post by Gervase Markham
Gervase Markham wrote:
> Some comments on your post. Please understand that I'm not being
> defensive about EV, or claiming that it's perfect - I just want to
> test your arguments a little bit.

OK. My thought is that we don't have many chances to push things like
that and have users consider it. If we make them aware of it, it better
be bulletproof, or we should not bother them with it, just treat it as
little better SSL cert, no special treatment.

> Right. But how many phishers have an office with a street sign saying
> "eBay" and a lobby?
> ...
> Except you can't, because there won't be any information sources which
> confirm that your number belongs to Microsoft. Because it doesn't.
> ...
> I don't think any information source would confirm that your address
> belonged to eBay.

Reliable sources like the phonebook or a random commercial database?

You are, and the CAs writing the guidelines are, not assuming that the
procedures are specifically gamed, things so arranged that the malicious
applicant would pass them, including renting a fake office with sign,
putting up fake phone numbers and listening them for a few days or
weeks, or specifically targetting the commercial database(s) that the CA
uses to get your bad info in there. Esp. the latter is probably
trivially easy, because the commercial databases are not security shops,
just providing contact info for initiating business. Esp. so in the US,
from what I've heard.

Whole subject of social engineering. Compare how easy it was (and still
is!) to get a random person's phone records from their own telco, if you
simply call the telco and claim to be police, father, whatever.
Similarly, I can just call my telco (from any number) and change the
bank account, billing name (!) and address, almost any data.

The CAs and guidelines (and you) don't take social engineering and
similar into account. Big error. That's what I'm pointing out.

That's why there needs to be something that can't be faked, or has a
very well-known and established risk (even when considering fraud), e.g.
a hand-written signature that has been checked.

>> To top it, this number can then be used to verify the signature, with
>> "a response from someone who identifies themselves as such person
>> confirming that he/she did sign the applicable document".
>
> I think you misunderstand the purpose of this step. It's to make sure
> that a rogue employee doesn't apply for a certificate using the name
> of someone else at the company who would be authorised to make the
> application.

I don't know how you read that out "confirming that he/she did sign the
applicable document".
>> If the CA followes the EV guidelines and the user gets ripped off,
>> the CA is not liable at all - be it due to hole in the guidelines or
>> other reasons.

One example: Let's say the guideline requires checking the signature.
The CA has a record saying that they checked it. But the signature was
still faked, and quite obviously so. Who's to blame? With this rule: the
browser user. Although clearly the CA is to blame, and needs to take
responsibility for its own failure.

Thus: the CA needs to take liability, if they issue bad certs, no matter
which procedure they followed, no matter the situation. Then they
actually have financial incentive to check thoroughly, instead of
checking as little as possible to sell as much as possible.

> So if, for example, someone gets an EV cert and uses it for phishing,
> we can analyse how they did it and tighten up the guidelines to close
> the loophole.

You think this will happen, and implemented, timely (days to weeks, not
months)? I don't think so.

>> I really thing that every CA-issued certificate must be verified
>> using the following steps:
>
> Just to check: you mean _every_ CA-issued certificate?

Yes. Or rather, every CA customer. The CEO can delegate to one or more
managers or admins, and that admin can then get a digital signature, and
with that the admin can create new certs on the fly automatically
without any paperwork, issued immediately.

> Say we wrote our own guidelines, and said to all the CAs "unless every
> cert you issue meets these, we'll yank your root". Who do you think
> would blink first?

Given that nothing breaks anymore, we have no need to blink.

And I don't think we can put up US banks as good example for users
either, so we don't even need to care about them being "approved".

>>    1. Using the official state register of companies to verify company
>>       name and representing natural person
>
> What about issuing certs to people or organisations which aren't
> companies?

See below. Natural persons have a passport and can get a cert in their
own name.

Organisations which have no legal body or no money backing won't get
one, because they can't uphold "when poked at". If this is about
organisations like open source projects, or tiny business like mine, the
project leader would need to get one in his own name. FWIW, I am legally
required to publish my name, address and phone number on my website
anyways (German law for professional publishing, for accountability -
no, private blogs and co don't fall under that).

> What about countries where there is no such register, or it's unreliable?

Example?
I guess we'd have to see how things work there, how they can be made
reliably based on their customs. In a few countries, Africa maybe, this
may not be possible, but we don't want the Nigerian scammer to get an EV
cert, do we?

>>    2. Acquiring written signature (original) of that person
>>    3. Checking the signature against the ID card / passport of that
>> person
>
> One draft of a precursor document to the EV guidelines included a
> requirement for a site visit, and that you had to meet up with the
> applicant and take a photo of them with their government issued ID,
> and record the number thereon. I still think this was a great idea,
> but unfortunately I was not in a majority.

Right!

Well, who cares about majority when we're facing 25 CAs? You said we
effectively have a veto right, so...

why blink?    :-)


:-) still smiling, not blinking.

>> This, and pretty much only this, will ensure that the card holder
>> really is who he claims to be, in real life, as seen by the
>> government and courts. Thus, before EV, I assumed that the above is
>> performed for the $100/year certs.
>
> Really? There's no way any CA could make money doing this at $100 a cert.

Nonsense. Sorry, that's just CA margin-improving nonsense.

First, they make $100 (per year, per cert) for that action (once, per
customer). And it's $1000 now with EV.

As I said, exactly this is offered as service in Germany for 10 Eur,
one-time fee. If they can make a site visit, they can also look at a
personal ID card and check a signature. My grocery store does it! What
gives?

> In the US, there are networks of companies which will do site visits
> and this sort of verification for you, but in other countries, there
> aren't. Such a visit would cost several hundred dollars to have performed.

Nobody's forcing them to have a flat world-wide fee. In fact, lots of
things will be different in many countries, out of necessity, even with
EV as-is.

>> Note that I think that natural persons and small companies should
>> also be able to get an EV cert, from the start.
>
> But then how can your step 1), above, work?

Well, it would of course not be necessary to associate applying company
with a natural person, because we already have a natural person with
signature and papers.

>> We could e.g. then show the cert holder name next to the domain name
>> in the urlbar, so that the real world name is a trust root, in
>> addition to the domain.
>
> Their legal business name? Or their "trading as" name? Or the real
> name of the person at the company who made the application?

I don't know. I'd say the legal business name - "trading as" would be a
different field.

I'm not familiar with the differentiation, because it does not exist in
Germany, or rather is not important. I am 'trading as' "Beonex", but I
am legally "Ben Bucksch", and I *have* to say the latter in any official
communication. Beonex is just a nickname. In my case, the cert for
Beonex would need to say "Ben Bucksch", because that's the only legal
entity that exists. You cannot sue Beonex, only me.


Thanks,

Ben
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Ben Bucksch
In reply to this post by Ben Bucksch
Florian Weimer wrote:
> I don't think the register of companies is useful for this purpose.
> Anyone can get on it.
>  

Sure you can get on it, but under which name? You can't incorporate
"eBay GmbH" in Germany, because there's already a company in that name,
nor "eBay Internet Services GmbH" or whatever you make up.

> Good fake passports are usually cheaper than government-issued ones.
>  

For German passports? Please tell me suppliers :).

(Beloved government agency of any kind: This was a joke, or rather
purely out of interest.)

> Experience tells that there is
> close to zero risk for the CA, so it does not make sense to spend
> money on better checks.

Fine, if they think so, let them bet their money on it. *Their* money,
not that of others.

> And since there are so few attacks, we haven't got a good threat
> model, either.
>  

I posted a threat model a year or longer ago on n.p.m.crypto. S/MIME is
pretty much useless due to the free, automatically issued certs. Read
there for details.

> Personally, I think that in order to make a difference, EV
> certificates must verify not only that the certificate holder is in
> control of embedded domain names (the usual EV CPS is basically
> equivalent to domain-control certificates in this area), but also that
> the certificate holder has got all the relevant trademark rights.
>  

Makes sense. Add fair checks to the requirements as you want, but those
3 I mentioned are the minimum, IMHO.

--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Boris Zbarsky
In reply to this post by Ben Bucksch
Ben Bucksch wrote:
> See below. Natural persons have a passport

As pointed out several times now, this is not strictly true.

Unless by "passport" you mean "some sort of government-issued ID".

A "passport" is a "government-issued ID that allows you to leave the country no
questions asked", which is why some people cannot get one.  ;)

-Boris
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Eddy Nigg (StartCom Ltd.)
In reply to this post by Gervase Markham
Hi Gerv,

Gervase Markham wrote:
>
> Just to be clear: They are not _intended_ to cost $1000/year upwards;
But which I predicted a while ago...As suggested previously, this is
mostly a marketing ploy, since the EV procedures can be performed with
or without a CA/Browser forum. I guess, the prices will rather go up, if
Mozilla goes along with the green carrot...
>
> I don't think any information source would confirm that your address
> belonged to eBay.
The procedures suggested by the EV guidelines are, if implemented and
performed correctly, pretty safe...Obviously verification of the address
and phone number by third party sources is only one of the steps
suggested. As for example with StartCom Class 2 certificates (so called
"reasonable" verification), it doesn't matter which phone number the
subscriber provides (that's just a convenience), but for verification
purpose only third party sources are considered and checked, together
with other material about the entity...I don't think, that this is an
issue and there is no loophole...
>
>> This whole thing has lots of loopholes. Given the experience and
>> market pressures, we have to assume that the CAs use the absolute
>> minimum and cheapest standards that still pass the guidelines, and
>> they'll automate as much as possible.
That's of course another story...
>
> So if, for example, someone gets an EV cert and uses it for phishing,
> we can analyse how they did it and tighten up the guidelines to close
> the loophole. With the previous, different-with-every-CA, ad-hoc
> procedures, that sort of thing wouldn't have been possible.
If this forum wouldn't have been a monopolistic organization, this would
have been even positive...But then again, I would like to see these
various CA's promote the EV standard without the green address
bar....Guess what: They'd disappear faster than you can see...
>
> it says "$2000 per Subscriber or Relying Party per EV Certificate".
> This means that if ten people are ripped off, they can claim $2000 each.
Well, there must be a distinction between subscriber and RP. It can't be
both....Per subscriber it's 2K, per RP it can be hundreds of 2K! So as
it currently states, the CA can choose whatever interpretation it
prefers...Make your own conclusion...
>
> One draft of a precursor document to the EV guidelines included a
> requirement for a site visit, and that you had to meet up with the
> applicant and take a photo of them with their government issued ID,
> and record the number thereon. I still think this was a great idea,
> but unfortunately I was not in a majority.
Huuu? Got this dropped? It used to be in the guidelines!? Well, if this
is the case, then it's not even worth considering the EV certs anything
else than Class 2. The site visit was also the major expense for the CA
I predicted....If this is not a requirement anymore, then I can't help
and ask, why should EV certs be better then lets say any other
"reasonable" verified certificate?
>
> Really? There's no way any CA could make money doing this at $100 a
> cert. In the US, there are networks of companies which will do site
> visits and this sort of verification for you, but in other countries,
> there aren't. Such a visit would cost several hundred dollars to have
> performed.
Oh...here is the site visit again...There is something I'm missing here...


--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Florian Weimer
In reply to this post by Duane-3
> Certificates with subjectAltName extensions should be able to
> replace wild card certificates, the question is what checks should
> be applied to hostnames?
>
> Most banks and other large entities have a list of hostnames as long
> as my arm for load balancing and other valid reasons, most often
> look deceptive in my opinion, and almost phishing like in some
> cases.

Host names like c1d3q2 are fine, but you shouldn't be allowed to use a
well-known or registered trademark.  If I read the Verisign CPS
correctly, I would be able to obtain a EV certificate for
citibank.enyo.de if I incorporated.  Given that it's not too hard to
set up a phony company, this undermines the purpose of EV
certificates, doesn't it?  After all, it's not about validation, it's
about identification.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Ben Bucksch
In reply to this post by Duane-3
Florian Weimer wrote:
> Host names like c1d3q2 are fine, but you shouldn't be allowed to use a
> well-known or registered trademark.  If I read the Verisign CPS
> correctly, I would be able to obtain a EV certificate for
> citibank.enyo.de if I incorporated.

Right, that's the current phishing approach. It's not trivial to stop,
though. There are phoney generic trademarks, too, so you'd basically
shrink the namespace for (readable) hostnames to almost null.

> Given that it's not too hard to
> set up a phony company, this undermines the purpose of EV
> certificates, doesn't it?  After all, it's not about validation, it's
> about identification.

Well, the cert would say "Enyo GmbH". Assuming the user looks at that
(we should not discuss UI here, but let's say it's shown in or near the
URLbar). But you're right, a typical phishing victim could just as
easily confused, given that they happily enter their bank login at
http://64.246.35.72/phase3/citibank.html

--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Florian Weimer
In reply to this post by Eddy Nigg (StartCom Ltd.)
* Eddy Nigg:

> Huuu? Got this dropped? It used to be in the guidelines!? Well, if
> this is the case, then it's not even worth considering the EV certs
> anything else than Class 2. The site visit was also the major expense
> for the CA I predicted....

According to my reading of Verisign's CPS, the site visit is not
required if the applicant can prove that it's incorporated at the
given address.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Ben Bucksch
In reply to this post by Gervase Markham
Eddy Nigg (StartCom Ltd.) wrote:
> There is something I'm missing here...

Indeed. The link to the published EV guidelines in my original post.

(Did I mention they are *public* now? For everybody!)
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Eddy Nigg (StartCom Ltd.)
In reply to this post by Gervase Markham
Ben Bucksch wrote:
>
> How about reading the guidelines?
I did read it! Thorough and multiple times...trust me on that one...
> They are public now. You work at a CA, don't you think it would be
> helpful? You even protest that you cannot participate in CABForum, but
> didn't read what it's about?

Since the guideline is not an entertaining news item of 10 lines, I
can't read it every here and now...So I reacted on information posted by
others and on the information which was none to me up to that moment.
>
> FYI, the guidelines often have many *alternatives* for each
> verification step.
Yes! And perhaps here are the hidden aspects you and others see a
problem with it. Obviously, if a CA intends to implement and perform
according to the spirit and guidance of the EV guidelines, then the
verifications to be performed are effective! However as somebody (you?)
pointed out, it might be likely to automate and circumvent certain
aspects, specially the more expensive ones...Or as you call it:
"Alternatives"...Perhaps one just has to learn the "alternatives" better ;-)

But what I wanted to show was, that at one point there is a site visit
(and photo opportunity of the subscriber and company estate) and then of
sudden there is none...Confusing, isn't it?

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Eddy Nigg (StartCom Ltd.)
In reply to this post by Florian Weimer
Hi Florian,

Florian Weimer wrote:
>
> According to my reading of Verisign's CPS, the site visit is not
> required if the applicant can prove that it's incorporated at the
> given address.
Mmmhh, may I ask, what exactly is Verisign's CPS and what is that of the
EV guidelines?
--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Eddy Nigg (StartCom Ltd.)
In reply to this post by Florian Weimer
Hi Florian,

Florian Weimer wrote:
>
> According to my reading of Verisign's CPS, the site visit is not
> required if the applicant can prove that it's incorporated at the
> given address.
Mmmhh, may I ask, what exactly has the Verisign CPS to do with the EV
guidelines?

--
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Florian Weimer
* Eddy Nigg:

>> According to my reading of Verisign's CPS, the site visit is not
>> required if the applicant can prove that it's incorporated at the
>> given address.

> Mmmhh, may I ask, what exactly has the Verisign CPS to do with the EV
> guidelines?

I was under the impression that the EV appndexi of the Verisign CPS
implements the EV guidelines.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: EV guidelines

Ben Bucksch
In reply to this post by Boris Zbarsky
Boris Zbarsky wrote:
> Ben Bucksch wrote:
>> See below. Natural persons have a passport
>
> As pointed out several times now, this is not strictly true.

I argued that

    * the difference is not serious in this case. It may actually be
      relevant (if you don't pay for your children, you don't fulfill
      your financial duties and probably shouldn't get EV), and it has
      workarounds (only *new* passports won't be issued, and there may
      be a vice president or whatever registered as representative which
      can jump in).
    * we *need* it to make the identification secure enough.


> Unless by "passport" you mean "some sort of government-issued ID".

Some *secure* government-issued ID, yes. That's what I meant with
"passport". German ID cards count, German driver's licenses don't, and
US driver's licenses don't.

And the rules may have to be adapted somewhat per country anyways,
because things may be different in some country. Just like there's a US
speciality to deny people a passport, there may be completely different
specialities (related to different points in EV) in other countries.

--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
1234 ... 6