Self Signed Security

For many years we have been evangelising the strength of the hierarchical trust model of PKI and putting up large warning signs whenever we see a self-signed certificate.  I think we got it completely backwards, and have been putting our trust in the wrong place.

The entire PKI architecture was designed to solve the man-in-the-middle problem: how do I know you are who you say you are, and aren't someone else pretending to be you.  To do this we created certificates, which are signed public keys.  The theory is that we trust the certificate authority that signed the key, and believe that the registration authority have validated the identity of the subscriber who asked for the key to be signed.

But nearly everything about the theory is provably wrong.

We know that certificate authorities get to be that by paying a tax to browser manufacturers.  They are trusted because of a commercial agreement that is an externality to the users of the system.

We know for sure that we can't trust the certificate authority.  The breaches of Comodo and Diginotar allowed certificates to be minted by a CA that were false.  We know that intelligence agencies around the world can buy wildcard root certificates from CAs that will allow national governments to intercept all traffic.

We know that registration authorities do as little as possible to validate the subscribers, usually requiring no more than an e-mail from the domain in question, or merely trusting WHOIS records.

So what are the alternatives?

Definitely not certificate pinning.  This is not scalable, and doesn't address the underlying problems with the architecture.  It's a band-aid on a gaping wound.

Convergence looks interesting, but I suspect that if implemented as suggested it would suffer from all the same problems.  We now have to trust notaries, rather than certificate authorities, and it ends up looking like the web of trust model from PGP, and that failed dismally.

I propose that the answer is self-signed certificates.  I know that I trust me.  I control everything about the issuing and revocation of my certificates.  And so does every subscriber.  While it is possible to for anyone to mint a certificate that looks like me, they would have to mint certificates for everyone to undertake the current man-in-the-middle attack strategy.  We don't make it less secure for the defenders, but we make it exponentially more difficult and costly for the attackers, and that makes all us more secure.

Sometimes the old ways really are the best.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

19th century PKI

Over the last few years more and more reports have been published claiming that PKI was fundamentally flawed.  The failure of the Dutch CA DigiNotar is widely claimed to be the final proof.  But I disagree.  The problems with PKI fall into two categories: "you're doing it wrong"; and "you're using it wrong".  Neither of these have anything to do with the fundamental underpinning cryptography.

The problem that PKI is intended to address is trust.  I can trust what you say if someone I trust authorises what you say.  It really is that simple to say, and at the same time fiendishly complicated to implement correctly.

It may surprise you to know that we've been doing PKI since the end of the 19th century, in the role of Justice of the Peace.  This is a person who will witness a signature on an official document.  The receiver of the document trusts that the document is genuine as they trust the JP, and the JP saw you sign it.

However just like current PKI problems, there are identical problems in the 19th century version.  When I had a legal document witnessed at the local public library, the JP had no way of validating that the form I was signing was genuine.  He also made no effort to validate that what I signed was really my signature, nor that I was the person referenced on the form - which makes sense as there is no way he could have done that anyway.

What he asserted is that a real person made a real mark on a real piece of paper.  Everything else is covered by laws against fraud.  And this has worked for more than 100 years, and continues to work today.

If we used current PKI to do only this - assert that a real computer made a real communication at a definite time, everything would be fine.  But we don't.  We want to know which computer, and so ask questions about identity, and then act surprised when the implementations fail us.

PKI is the answer.  It's the question that's wrong.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com