²þÁ±¤¹¤ëing Authentication On The Internet

¸«²ò¡¿ËÝÌõ¡¿ÈÇ 0.4 - 2005-05-12

Introduction

The ¸½ºß¤Î system for °ÂÁ´¤Ê¡¦Êݾڤ¹¤ëing end-»ÈÍÑ¼Ô ½èÍý¡¿¼è°ús over the Internet consists of ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë °Üž ·Ðͳ¤Ç HTTP over SSL, with ¿®ÍÑ ÀßΩ¤¹¤ëd using server-based ¾ÚÌÀ½ñs. The ¹½À®Í×ÁÇs of this system need re-¿Ç»¡¤¹¤ëing in the light of the ¸½ºß¤Î ¶¼¤·s to Internet-based ¾¦¶È.

¶¼¤· ʬÀÏ

There are three classes of ¶¼¤· to °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë ½èÍý¡¿¼è°ús over the internet, which are within the domain of this paper. (¶¼¤·s such as server ÂŶ¨, company ½¾¶È°÷ dishonesty, trojaned ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís and so on are outside its ÈÏ°Ï.) They are:

1. Eavesdropping (someone is listening to my conversation)
2. Impersonation (I'm not conversing with who I think I am)
3. Scamming (I'm conversing with who I think I am, but they are dishonest)

The difference between impersonation and scamming is as follows. Impersonation is where I think I'm conversing with Barclays Bank, but ¸½¼Â¤Ë I'm knowingly conversing with www.°ÂÁ´¤Ê¡¦Êݾڤ¹¤ë-barclays.co.uk, who I assume are Barclays but are not. Scamming is where I am conversing with what appears to be a ¹çˡŪ organisation such as a ¾¦Çä¡¿»Å»ö, but they misuse the ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë I give them.

Is "scamming" the best word here? It needs to be ÌÀ³Î¤Ê¡¿ºÙÉô enough not to ´Þ¤à those items covered under impersonation, so words like "dishonesty", "º¾µ½" and so on don't work. "Misrepresentation"? "¸í¤Ã¤¿ pretences"?

¸½ºß¤Î ¶¼¤·s

If we look at which of the ¶¼¤·s is most ήÉÛ¤·¤Æ¤¤¤ë in May 2005, the answer is ÌÀ³Î¤Ë impersonation, in the form of "phishing". Phishing is the setting-up of µ¶¤Î websites ¼ñ»Ýing to be those of ¸ºß¤¹¤ëing °æ¸Í¡¿ÊÛ¸î»ÎÀÊ-known ¡ÊÆÈΩ¤Î¡Ë¸ºßs, with the ÌÜŪ¡Ê¤È¤¹¤ë¡Ë of ¼ý³Ïing ²ÁÃͤΤ¢¤ë ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë such as bank login ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës or credit card numbers. The ¸ºß of the 300-member Anti Phishing Working Group is ¾Úµò of »º¶È ´Ø¿´ over this ÌäÂ꡿ȯ¹Ô¤¹¤ë.

No-one is ³ä¤ìÌÜing the encryption on °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë ´Ø·¸s because the value of the data °ÂÁ´¤Ê¡¦Êݾڤ¹¤ëd by a Áª¤Ó½Ð¤¹¡¿ÆÈ¿È ½èÍý¡¿¼è°ú is °ìÈÌ¤Ë far too low. This is ¤¢¤ê¤½¤¦¤â¤Ê¤¤ to change; as ³ä¤ìÌÜing ¶âʪÎà¡¿Éð´ïÎà gets cheaper, ½ÅÍ×¤Ê lengths get longer and ³ä¤ìÌÜing gets harder. But the ¿äÏÀ¤¹¤ë¡¿Íýͳ that there are not so many ¥³¥ó¥Ó¥Ê¡¼¥È¡¿Ê£¹çÂÎ scamming attacks is not technical but pragmatic - impersonation ºîÉÊ, and it is so much easier and cheaper. As impersonation gets harder, scamming will rise.

Today, almost all phishing is ¹Ô°Ù¡¿¹Ô¤¦d over Èó¡¤ÉÔ¡¤Ìµ-°ÂÁ´¤Ê¡¦Êݾڤ¹¤ë channels, putting the combatting of it outside the ÈÏ°Ï of the model. (That is to say, we have an important »Å»ö to ±¿Æ° phishers ¤Î¾å¤Ë SSL, but that how to do it is outside the ÈÏ°Ï of this paper.) However, as »ÈÍÑ¼Ô Ç§¼±¡¿°Õ¼±À­ and education ²þÁ±¤¹¤ës, phishers will look to Äɲ乤ë extra legitimacy to their ¾ì½ê¡¿°ÌÃÖs by ¶¡µë¤¹¤ëing a "°ÂÁ´¤Ê¡¦Êݾڤ¹¤ë" ´Ø·¸ to better ape ¹çˡŪ ¾ì½ê¡¿°ÌÃÖs. Then, the ¶¼¤·s of impersonation and scamming will start to ¾×·â the SSL model. It is useful to ¿Ç»¡¤¹¤ë how °æ¸Í¡¿ÊÛ¸î»ÎÀÊ it Êݸ¤ës against these ¶¼¤·s.

Privacy, Validation and Authentication

To ÀïÆ® the three »Ø̾¤¹¤ëd ¶¼¤·s, the model must ¶¡µë¤¹¤ë the ¤Ë°ú¤­Â³¤¤¤Æ ½êͭʪ¡¿»ñ»º¡¿ºâ»ºs:

1. Privacy - stopping people listening in - ÀïÆ®s eavesdropping.
2. (Domain) Validation - knowing that you are talking to www.good.com and not www.evil.com - ÀïÆ®s impersonation.
3. (¾ì½ê¡¿°ÌÃÖ Áàºî¼Ô) Authentication - knowing that the police can find the owners of www.good.com if they turn out to be crooks - ÀïÆ®s scamming.

For our ÌÜŪs, privacy from eavesdropping remains unchallenged. Privacy is ¶¡µë¤¹¤ëd by encryption, and any variation is a µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö of the strength of the encryption used. However, using high-grade encryption for all ½èÍý¡¿¼è°ús is technically Ê¿°×¤Ê and financially Èæ³Ó¤·¤Æ °Â²Á¤Ê. Notwithstanding the enormous À®²Ì¡¿ÅØÎÏs some go to for small successes, no-one Ëܵ¤¤Ç argues that e.g. the Á°¿Ê¤¹¤ëd AES-256 algorithm can be broken by an eavesdropping ¹¶·â¼Ô.

Validation, at least of domain »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë, is also not ¸½ºß¡¿°ìÈÌ¤Ë an ÌäÂ꡿ȯ¹Ô¤¹¤ë. Assuming the method of ÀÜ¿¨¤¹¤ëing a domain owner is °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë, domain validation can also be ¶¡µë¤¹¤ëd with ¿Æ² ´ËϤ¹¤ë.

Authentication, on the other ¼êÅϤ¹, is much more of a continuum, because it ȼ¤¦¡¿´Ø¤ï¤ës those tricky real-world ³µÇ°s of ¿È¸µ, ¿®ÍÑ, honesty and so on. It's also hard to ¼êÃÊ, and the methods for ³Î¼Â¤Ë¤¹¤ëing it change over time. Authentication is needed partly for ͽËÉ (¹¶·â¼Ôs will be µ¤¤¬¿Ê¤Þ¤Ê¤¤ to ÌÀ¤é¤«¤Ë¤¹¤ë¡¿Ï³¤é¤¹ ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë about themselves) and partly for after-the-fact accountability. As Bruce Schneier points out, we can never be 100% successful in ˸¤²¤ëing attacks, and so enabling ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸« and ÊÖÅú need to be a part of the ²òÅú.

I therefore ¼¨º¶¤¹¤ë that privacy, validation and authentication are ´Ø·¸¤Î¤¢¤ë as shown by the diagram to the ¸¢Íø.

Normal web ´Ø·¸s over HTTP have no privacy except that accidentally ¶¡µë¤¹¤ëd by ÌÖ¾õÁÈ¿¥ topology, no validation except for that ¶¡µë¤¹¤ëd at domain ÅÐÏ¿ or IP-ȯ¹Ô time, and no ½ÅÍ×¤Ê authentication. It therefore Íî¤Á¤ës into the ºÇ¹â¤Î¡¤¤ò±Û¤¹ left square.

A °ÂÁ´ model which ¶¡µë¤¹¤ëd only privacy (Äì¡Ê¤ËÆϤ¯¡Ë left square) would be like SSH - when you connect to a ¾ì½ê¡¿°ÌÃÖ for the first time it ¶¡µë¤¹¤ës you with a ½ÅÍ×¤Ê »ØÌæ. You then need to use ³°Éô¤Î means to make sure that ½ÅÍ×¤Ê »ØÌæ belongs to the person you think you are talking to. Only after that can you ÊÝ¾Ú¡Ê¿Í¡Ë you are always talking to the same person. While this model has worked °æ¸Í¡¿ÊÛ¸î»ÎÀÊ in those areas where SSH is used, the ¸øÀµ¤Ë¡¿¤«¤Ê¤ê obvious unlikelihood of millions of end-»ÈÍѼÔs going through this ²áÄø for each °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë ¾ì½ê¡¿°ÌÃÖ they visit means that it's not appropriate for SSL. The distinction between the ºÇ¹â¤Î¡¤¤ò±Û¤¹ left and Äì¡Ê¤ËÆϤ¯¡Ë left squares is not ´ØÏ¢¤·¤¿ to an end-»ÈÍѼÔ.

A model which ¶¡µë¤¹¤ëd only validation (ºÇ¹â¤Î¡¤¤ò±Û¤¹ ¸¢Íø square) would be one which made sure you were connected to the ¾ì½ê¡¿°ÌÃÖ you thought you were, but µö¤¹d anyone to listen in. The use of °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë DNS with HTTP is in this ÉôÎà.

A model which ¶¡µë¤¹¤ëd only privacy and validation (Äì¡Ê¤ËÆϤ¯¡Ë ¸¢Íø square, base of arrow) would mean that you connect to a ¾ì½ê¡¿°ÌÃÖ, and you are ³Î¤«¤Ê you've connected to that ¾ì½ê¡¿°ÌÃÖ, but you have to use means ³°Éô¤Î to the SSL model to get authentication - i.e. to make sure the ¾ì½ê¡¿°ÌÃÖ is owned by who you think it is, and that the ¾ì½ê¡¿°ÌÃÖ owners are ¿®Íê¤Ç¤­¤ë. Examples might be "Personal Computer World recommended them", "My brother bought something last month and it went ȳ¶â", or a browser plugin from a ¿®ÍÑd provider which ¸ÀµÚ¡¿´ØÏ¢d a ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë of ¿®ÍÑd ¾ì½ê¡¿°ÌÃÖs for you and showed its findings.

Privacy and validation are prerequistes for authentication. If you have no privacy, the ¶²¤é¤¯-authenticated ¡ÊÆÈΩ¤Î¡Ë¸ºß could ¡Ê¿ÍÌ¿¤Ê¤É¤ò¡ËÃ¥¤¦¡¤¼çÄ¥¤¹¤ë "we were eavesdropped". If you have no validation, they could ¡Ê¿ÍÌ¿¤Ê¤É¤ò¡ËÃ¥¤¦¡¤¼çÄ¥¤¹¤ë "you weren't ¸½¼Â¤Ë talking to me". Therefore, the authentication continuum is rooted only in the Äì¡Ê¤ËÆϤ¯¡Ë ¸¢Íø square, and proceeds from there.

How °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë ½èÍý¡¿¼è°ús Work Now

The ¸½ºß¤Î model ºîÉÊ as follows. Web browsers ´Þ¤à a number of "root ¾ÚÌÀ½ñs", which belong to ¾ÚÌÀ½ñ Åö¶É (CAs) and are ʬÇÛ¤¹¤ëd with '¿®ÍÑ bits' »Ï¤á¤ë¡¤·è¤á¤ë by default. Browser À½Â¤¶È¼Ôs choose whose root ¾ÚÌÀ½ñs to ´Þ¤à; their methods of choosing ÊѲ½¤µ¤»¤ë. A number of °æ¸Í¡¿ÊÛ¸î»ÎÀÊ-known CAs, such as Verisign and Geotrust, have their root ¾ÚÌÀ½ñs in all major browsers.

When someone comes to a CA with a request for a ¾ÚÌÀ½ñ ("cert") for a particular ¾ì½ê¡¿°ÌÃÖ, they do some Ω¾Ú to check that the person asking is µö¤¹d to have that ¾ÚÌÀ½ñ. Validation is ¶¡µë¤¹¤ëd by checking that the person asking for the ¾ÚÌÀ½ñ ¸½¼Â¤Ë »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ës that domain. Beyond that, different levels of authentication can be reached by doing different sorts of checks. The ÎÌ of authentication ÊѲ½¤µ¤»¤ës from CA to CA, and even between different À½ÉÊs of the same CA. After Ω¾Ú, the CA uses its root ¾ÚÌÀ½ñ to Ä´°õ¤¹¤ë a server ¾ÚÌÀ½ñ for that ¾ì½ê¡¿°ÌÃÖ, and ¼êÅϤ¹s it over to the requestor.

The ¼ê³¤­s of a CA, ´Þ¤àing the ÎÌ of Ω¾Ú done, are »Ï¤á¤ë¡¤·è¤á¤ë É餫¤¹¡¿·âÄƤ¹¤ë in a ʸ½ñ called the ¾ÚÌÀ½ñ Pratice À¼ÌÀ (CPS), ÍøÍѤǤ­¤ë from the CA's website. A CA's Ʊ°Õ¡¿Éþ½¾ with their CPS is »ý³¤¹¤ëd ·Ðͳ¤Ç ÆÈΩ¤·¤¿¡¦Ìµ½ê° audit.

When a browser visits a °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë website, it ÄÄÎ󤹤롤ȯ´ø¤¹¤ës a ·Ù¹ð if it is not able to ¼Â¾Ú¤¹¤ë the ¾ÚÌÀ½ñ - that is, if it is not Ä´°õ¤¹¤ëd by one of the root ¾ÚÌÀ½ñs. Thereafter, the browser's "°ÂÁ´¤Ê¡¦Êݾڤ¹¤ë" UI is ÄÄÎ󤹤롤ȯ´ø¤¹¤ëd as normal. For that ¾ì½ê¡¿°ÌÃÖ, it Âåɽ¤¹¤ës secrecy only, even if the »ÈÍÑ¼Ô chooses "don't ·Ù¹ð¤¹¤ë me again". If the ¾ÚÌÀ½ñ is Ä´°õ¤¹¤ëd by a root ¾ÚÌÀ½ñ, the UI appears automatically, but this time Âåɽ¤¹¤ëing secrecy, validation and some unknown level of authentication.

¾ÃÈñ¼Ôs are °ìÈÌ¤Ë not aware of these ȳ¶â distinctions. Those who look for the UI (usually a lock icon) at all consider it a binary Ä´°õ¤¹¤ë of "°ÂÁ´", and are encouraged to do so by banks, merchants, browser vendors and CAs. The presence of the lock is °·¤¦¡¿¼£ÎŤ¹¤ëd as a ¹ÎÄêŪ¤Ê answer to the question "can I °ÂÁ´¤Ë use my credit card number or do online banking on this ¾ì½ê¡¿°ÌÃÖ?"

If a ¾ÚÌÀ½ñ is incorrectly ÌäÂ꡿ȯ¹Ô¤¹¤ëd or the »äŪ¤Ê ½ÅÍ×¤Ê is ÂŶ¨d and the problem is discovered, the CA ¼è¤ê¾Ã¤¹s the ¾ÚÌÀ½ñ by publishing its ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës in a ¾ÚÌÀ½ñ Revocation ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë (CRL). If a CA suddenly ÌäÂ꡿ȯ¹Ô¤¹¤ës a ½½Ê¬¤Ê number of fraudulent certs, the browser À½Â¤¶È¼Ô could produce a °ÂÁ´ update to their ¥½¥Õ¥È¥¦¥§¥¢ which ½üµî¤¹¤ës that CAs root cerificates from the Ãߤ¨¤ë¡¿Å¹.

Shortcomings Of The ¸½ºß¤Î Model

No ÊÝ¾Ú¡Ê¿Í¡Ë of Authentication

The ¸½ºß¤Î SSL model, as used in browsers today, ¶¡µë¤¹¤ës good privacy and validation, but ¶¡µë¤¹¤ës no Êݾڡʿ͡Ëd authentication. The level of authentication ÊѲ½¤µ¤»¤ës from CA to CA, but there is no µÒ´ÑŪ¤Ê ¼êÃÊ and so the level is not encoded in any ´ð½à way into the ¾ÚÌÀ½ñ, and cannot be ÄÄÎ󤹤롤ȯ´ø¤¹¤ëd to the »ÈÍѼÔ. Even though validation alone is insufficient to ÀïÆ® phishing - a ¼Â¾Ú¤¹¤ëd ´Ø·¸ to www.paypal-»Ùʧ¤¤¡Ê³Û¡Ës.com is just as ´í¸±¤Ê as an insecure one to 12.34.56.78 - ºÇ¶á¤Î changes in the market show some CAs having to ¸º¤º¤ë the ÎÌ of checking they do ¡¼¤¹¤ë¤¿¤á¤Ë compete with other CAs who do not ¶¡µë¤¹¤ë authentication. Some CAs already expressly advertise and sell ¾ÚÌÀ½ñs with almost no authentication at all.

The audits a CA ¤ò¼õ¤±¤ës ñ¤Ë make sure that the ¼ê³¤­s they follow are those in their CPS. The audit makes no comment on whether the ¼ê³¤­s are Ŭ¤¹¤ë for ÀßΩ¤¹¤ëing a particular level of authentication. A CPS which said "we ÌäÂ꡿ȯ¹Ô¤¹¤ë ¾ÚÌÀ½ñs to everyone with no checking at all" would pass audit if the CA did what it Ìó«d.

No Revocation

A ¾ÚÌÀ½ñ, once ÌäÂ꡿ȯ¹Ô¤¹¤ëd, can't be ¼è¤ê¾Ã¤¹d - at least, not »ö¼Â¾å. No browser looks at CRLs by default, because they can run to hundreds of K in size and would have to be downloaded on the Èô¹Ôµ¡¤Ç¹Ô¤¯. A µÄÄê½ñ called Online ¾ÚÌÀ½ñ Status µÄÄê½ñ (OCSP) was invented to get around this ÌäÂ꡿ȯ¹Ô¤¹¤ë - it µö¤¹s checking the ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë of a Áª¤Ó½Ð¤¹¡¿ÆÈ¿È ¾ÚÌÀ½ñ in real time. However, for ¤µ¤Þ¤¶¤Þ¤Ê technical ¿äÏÀ¤¹¤ë¡¿Íýͳs only one browser (¥ª¥Ú¥é 8) À®¤·¿ë¤²¤ës this check by default.

No (Practical) ½üµî

If a CA started ÌäÂ꡿ȯ¹Ô¤¹¤ëing certs with no Ω¾Ú at all as a »öÊÁ of ¾¦Çä¡¿»Å»ö practice, the only Íê¤ß¤Î¹Ë a browser À½Â¤¶È¼Ô has is to ½üµî¤¹¤ë their root cert. This then ¸¶°ø¡Ê¤È¤Ê¤ë¡Ës error popups and ·Ù¹ðs for each »ÈÍÑ¼Ô who visits a ¾ì½ê¡¿°ÌÃÖ °ÂÁ´¤Ê¡¦Êݾڤ¹¤ëd with a cerificate Ä´°õ¤¹¤ëd by that cert. For large ¾ÚÌÀ½ñ Åö¶É who ÌäÂ꡿ȯ¹Ô¤¹¤ë the certs for many popular ¾ì½ê¡¿°ÌÃÖs, this would be »ö¼Â¾å almost impossible. To date, I know of no instance where such a ½üµî has ever happened.

Some Things Worse Than Nothing

Using a self-Ä´°õ¤¹¤ëd ¾ÚÌÀ½ñ, or one Ä´°õ¤¹¤ëd by an unknown CA, ¸½ºß¡¿°ìÈÌ¤Ë pops up a ·Ù¹ð dialog, which appears more scary to the »ÈÍÑ¼Ô than plain unencrypted HTTP. The two are ¸½¼Â¤Ë ƱÅù¡Ê¤Î¡Ë from an end-»ÈÍÑ¼Ô point of ¸«²ò¡Ê¤ò¤È¤ë¡Ë. In some browsers, connecting to a server ¶¡µë¤¹¤ëing only 40-bit encryption is also scarier than nothing.

·ÐºÑŪ¤Ês of Phishing

Before I ¼¨º¶¤¹¤ë some ²òÅús to the aforementioned problems, it is useful here to take a quick look at the ·ÐºÑŪ¤Ês of phishing, and how they might ±Æ¶Á¤¹¤ë¡¿´¶¾ð our choice of ³èÆ°¡¿ÀïÆ®s.

What ±¿Æ°s phishers to be so ÀѶËŪ¤Ê - the ´ê˾¡Ê¤¹¤ë¡Ë for money - is also their Achilles heel. Phishers will stop phishing when it's no longer economically sensible to do so. ¸½ºß¡¿°ìÈ̤Ë, »î¤ß¤ë¡¿´ë¤Æ¤ëing an SSL phish can cost next to nothing, and the ¿­¤Ó¡Ê¤ë¡Ës are ÀøºßŪ¤Ë ¹­Âç¤Ê¡¿Â¿¿ô¤Î¡¿½ÅÍפÊ. We need to µÕž¤¹¤ë this. There are two things you can do to make ÆÀ¤ëing ¾ÚÌÀ½ñ to use for fraudulent ÌÜŪs financially unviable. You can Áý²Ã¤¹¤ë the cost, or ²ÄǽÀ­¤Î¤¢¤ë cost, of ÆÀ¤ëing the ¾ÚÌÀ½ñ, and you can ¸º¾¯¡Ê¤¹¤ë¡Ë the ¿­¤Ó¡Ê¤ë¡Ë possible after the ¾ÚÌÀ½ñ has been ÆÀ¤ëd.

It would be hard to Áý²Ã¤¹¤ë the ºâÀ¯¾å¤Î cost of ÆÀ¤ëing a ¾ÚÌÀ½ñ ½½Ê¬¤Ë to Á˻ߤ¹¤ë phishing without also deterring a lot of ¹çˡŪ uses. Therefore, the Áý²Ã¤¹¤ëd cost has to be ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of ÌÀ¤é¤«¤Ë¤¹¤ë¡¿Ï³¤é¤¹d ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë (useful to ˡΧ »Ü¹Ô) rather than money - i.e. in greater authentication.

Once a ¾ÚÌÀ½ñ has been ÌäÂ꡿ȯ¹Ô¤¹¤ëd, the only way to ¸º¾¯¡Ê¤¹¤ë¡Ë the ¿­¤Ó¡Ê¤ë¡Ë possible using it is to make it useful for ¤¤¤Ã¤½¤¦¾¯¤Ê¤¯ long. This would ȼ¤¦¡¿´Ø¤ï¤ë ÀßΩ¤¹¤ëing and using a real-time ¾ÚÌÀ½ñ revocation ÁÈ¿¥¡¿´ðÈס¿²¼Éô¹½Â¤.

Äó°Æ¤¹¤ëd Changes

Separate °ÂÁ´, Validation and Authentication

The browser UI should separate the ÄÄÎ󤹤롤ȯ´ø¤¹¤ë of °ÂÁ´, validation and level of authentication. This µö¤¹s the »ÈÍÑ¼Ô to know more Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë what level of Êݸî they have against º¾µ½. It is hoped that browser À½Â¤¶È¼Ôs could ¶¦Æ±À½ºî¤¹¤ë on defining the form of this UI, as it is important that all browsers »ý³¤¹¤ë UI consistency ¡¼¤¹¤ë¤¿¤á¤Ë make it possible to define a simple ¾ÃÈñ¼Ô message. Some ¸Ç¤á¤ë¡¿¥³¥ó¥¯¥ê¡¼¥È suggestions are in Ãî¿â A; they are separated out because people may wish to agree with my ·ëÏÀ here but Ʊ°Õ¤·¤Ê¤¤ with my suggestions.

Define Authentication Levels

We should define a number of authentication levels that the UI should show, ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs which a ¾ÃÈñ¼Ô can understand and which can be ¸ÀµÚ¡¿´ØÏ¢d in the simple ¾ÃÈñ¼Ô message. The number of levels should be as low as can be got away with. Again, a ¸Ç¤á¤ë¡¿¥³¥ó¥¯¥ê¡¼¥È suggestion is in Ãî¿â A.

By ÌäÂ꡿ȯ¹Ô¤¹¤ëing ¾ÚÌÀ½ñs with Èó¡¤ÉÔ¡¤Ìµ-̵ authentication levels, the CA would be assuming some level of µÁ̳¡¿ÉéºÄ for any losses ¸¶°ø¡Ê¤È¤Ê¤ë¡Ëd by a ¼ºÇÔ to ¿³ºº¤¹¤ë out fraudsters. Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë what µÁ̳¡¿ÉéºÄ they are assuming is again beyond the ÈÏ°Ï of this paper, but it would need to be such that this whole ±é½¬ isn't ñ¤Ë "°ÂÁ´ theatre". The costs of ¾ÚÌÀ½ñs at each level would probably È¿±Ç¤¹¤ë the level of µÁ̳¡¿ÉéºÄ the CA assumes.

Àµµ¬¤Î¡¿ÀµÁª¼ê ÆÈΩ¤·¤¿¡¦Ìµ½ê° audits of Ω¾Ú ¼ê³¤­s should be Í׵᤹¤ëd for all CAs. The results of each audit, and the nature of the Ω¾Ú ¼ê³¤­s, must be public. These audits should check that the ÎÌ of Ω¾Ú done for each type of cert ÌäÂ꡿ȯ¹Ô¤¹¤ëd is ½½Ê¬¤Ê for the authentication level for the root it is ÌäÂ꡿ȯ¹Ô¤¹¤ëd under. If the authentication level is "Èó¡¤ÉÔ¡¤Ìµ", the audit ñ¤Ë needs to ascertain that the CA's method of ÀÜ¿¨¤¹¤ëing a domain owner is °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë. Beyond that, Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë what checking should be done for each level is (thankfully) °æ¸Í¡¿ÊÛ¸î»ÎÀÊ beyond the ÈÏ°Ï of this paper, and is a »öÊÁ for the CAs, ¿®ÍÑ ÀìÌç²Ès and the auditor to work out between them.

Of course, browser À½Â¤¶È¼Ôs have the final say about which authentication level they ¼¨¤¹ each root cert with, and would reserve the ¸¢Íø to alter the ¼¨º¶¤¹¤ëd level downwards should there be ½ÅÍ×¤Ê levels of nefarious activity associated with ¾ÚÌÀ½ñs ÌäÂ꡿ȯ¹Ô¤¹¤ëd from that root. This µö¤¹s for finer-¹òʪd »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë than ñ¤Ë ½üµî¤¹¤ëing ¾ÚÌÀ½ñs altogether.

Ideally, ¾ÚÌÀ½ñs with different ÎÌs of Ω¾Ú should be ÌäÂ꡿ȯ¹Ô¤¹¤ëd from different roots or sub-roots. The browser can Ãߤ¨¤ë¡¿Å¹ all of these in its ¾ÚÌÀ½ñ Ãߤ¨¤ë¡¿Å¹, and ¼¨¤¹ them with its ¸½ºß¤Î ¸«²ò¡Ê¤ò¤È¤ë¡Ë of their authentication level. (In practice, some root-cert-ÌÀ³Î¤Ê¡¿ºÙÉô heuristics may be necessary for °ä»º¡¿°äʪ roots.) For ¾ÚÌÀ½ñs with authentication, the fields (OU, O, C etc.) should be filled in with data that is ÄûÀµ¤¹¤ë ¤Ë¤è¤ì¤Ð the CA's knowledge, suitable for ÄÄÎ󤹤롤ȯ´ø¤¹¤ë to the »ÈÍѼÔ. For ¾ÚÌÀ½ñs with no authentication, the values should either be blank or ÌÀ³Î¤Ë È¿±Ç¤¹¤ë the CA's ·çÇ¡¡Ê¤¹¤ë¡Ë of knowledge of the ÄûÀµ¤¹¤ë values.

Enable Revocation

For authentication levels above "Èó¡¤ÉÔ¡¤Ìµ", quick ¾ÚÌÀ½ñ revocation is needed to ¸º¤º¤ë the value of fraudulently-ÆÀ¤ëd ¾ÚÌÀ½ñs. The only game in town for this, technically, is OCSP. Therefore, it should be a ɬÍ×ʪ¡¿É¬Í×¾ò·ï that ¾ÚÌÀ½ñs ÌäÂ꡿ȯ¹Ô¤¹¤ëd under roots ¼¨¤¹d for such authentication levels must have embedded OCSP URLs, pointing at a working OCSP responder.

Make All Insecure ´Ø·¸s The Same

SSL ´Ø·¸s which do not ¶¡µë¤¹¤ë ½½Ê¬¤Ê privacy or validation should be shown in the browser UI as plain HTTP ´Ø·¸s, with the exception that it must be possible to ¿­¤Ó¡Ê¤ë¡Ë Àܶá to the ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës of the ¾ÚÌÀ½ñ, and it may be necessary to ¶¡µë¤¹¤ë an explanation why this "https" ´Ø·¸ is not ¼¨¤¹d as °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë. Èó¡¤ÉÔ¡¤Ìµ of the UI used for »äŪ¤Ê/¼Â¾Ú¤¹¤ëd/authenticated ´Ø·¸s should be used.

Into this ÉôÎà of "ƱÅù¡Ê¤Î¡Ë to plain HTTP" I would put:

• Self-Ä´°õ¤¹¤ëd ¾ÚÌÀ½ñs
• ¾ÚÌÀ½ñs Ä´°õ¤¹¤ëd by unknown CAs
• ´Ø·¸s ¶¡µë¤¹¤ëing only 40-bit encryption

Define A Simple ¾ÃÈñ¼Ô Message

We should define a simple ¾ÃÈñ¼Ô message, which can be spread by CAs, browser À½Â¤¶È¼Ôs, banks and merchants. What the message is, depends on the UI used to separate °ÂÁ´, validation and authentication. A suggestion for a message is given in Ãî¿â A.

There will need to be a period of °Ü¹Ô when moving from the old to the new ¼ê¤Ï¤º¡¿½àÈ÷. Authentication levels need to be »Ï¤á¤ë¡¤·è¤á¤ë, ¼ê³¤­s need to be ¹©Éפ¹¤ëd, audits need to be À®¤·¿ë¤²¤ëd and new ¾ÚÌÀ½ñs need to be ÌäÂ꡿ȯ¹Ô¤¹¤ëd. To Èò¤±¤ë º®Í𤵤»¤ëing the ¾ÃÈñ¼Ô message with ²áÅÙ´ü¤Î ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë, we may want to have a ´ú day, such that browsers have ¥¿¥¤¥ß¥ó¥° code to turn on the new UI all at once when the other ¼ê¤Ï¤º¡¿½àÈ÷ are in place. This could be ¡Ä¤òȼ¤Ã¤Æd by a °ìÃפ·¤¿ publicity ¡ÊÁªµó¤Ê¤É¤Î¡Ë±¿Æ°¤ò¤¹¤ë around the ¾ÃÈñ¼Ô message that explains that UI.

---

Ãî¿â A: ¸Ç¤á¤ë¡¿¥³¥ó¥¯¥ê¡¼¥È Suggestions

Authentication Levels

I ¼¨º¶¤¹¤ë there should be three authentication levels, »Ø̾¤¹¤ëd around the most °ìÈÌŪ¤Ë-À®¤·¿ë¤²¤ëd activites by »ÈÍѼÔs over °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë ´Ø·¸s. I am conscious that this does perhaps ¸½ºß¤Î an ¶Ëü¤Ë e-¾¦¶È-centric ¸«²ò¡Ê¤ò¤È¤ë¡Ë of SSL, but it's difficult to balance ´°Á´¤Ë¤¹¤ë Àµ³Î with having a simple ¾ÃÈñ¼Ô message. The levels I ¼¨º¶¤¹¤ë are:

1. Èó¡¤ÉÔ¡¤Ìµ
2. Shopping
3. Banking

The "Èó¡¤ÉÔ¡¤Ìµ" level must ¸ºß¤¹¤ë, because there are ¹çˡŪ uses for ¾ÚÌÀ½ñs which show no more than domain »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë.

The "shopping" level would be the most ¤¢¤ê¤Õ¤ì¤¿, and used on ¾ì½ê¡¿°ÌÃÖs where ÂŶ¨ of ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë ÉáÄÌ¤Ï put into that ¾ì½ê¡¿°ÌÃÖ would lead to the loss of a Áª¤Ó½Ð¤¹¡¿ÆÈ¿È credit card number, or ƱÅù¡Ê¤Î¡Ë.

The "banking" level would be a ¾ÞÍ¿¶â À½ÉÊ suitable for companies or organisations for which a very high level of ¿®ÍÑ is needed. If ÂŶ¨ of ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë ÉáÄÌ¤Ï put into that ¾ì½ê¡¿°ÌÃÖ would lead to an ¹¶·â¼Ô having Àܶá to a »ÈÍѼÔ's bank accounts or ºâÀ¯¾å¤Î µ­Ï¿¡¤µ­Ï¿Åª¤Ê¡¿µ­Ï¿¤¹¤ës, the ¾ì½ê¡¿°ÌÃÖ should have a ¾ÚÌÀ½ñ at this level. Of course, there's nothing to ˸¤²¤ë shops buying these ¾ÚÌÀ½ñs, but I ·ùµ¿¼Ô¡¤ÍƵ¿¼Ô¡¿µ¿¤¦ that they would be °ÕÌ£¤¢¤ê¤²¤Ë more expensive and inconvenient to ÆÀ¤ë than "shop" level ¾ÚÌÀ½ñs.

Browser UI

Unlike the »Ä¤ê¡¿µÙ·Æ¡Ê¤¹¤ë¡Ë of this paper, this Ãî¿â is based around UI for Mozilla Firefox, although I am ¼¨º¶¤¹¤ëing it as the UI to be ²Ä·è¤¹¤ë¡¦ºÎÂò¤¹¤ëd ½ª»Ï°ì´Ó¤·¤Æ across all browsers. The ¤Ë°ú¤­Â³¤¤¤Æ discussion is based on the ÀßΩ¤¹¤ëd Firefox °ÂÁ´ UI ¸¶Â§ that there should be a piece of ever-¸½ºß¤Î and reliable UI from which »ÈÍѼÔs can make °ÂÁ´ ·èÄ꡿ȽÄ꾡¤Á¡Ê¤¹¤ë¡Ës. After much discussion, it was decided that using the status ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È for this ÌÜŪ was the best ÂŶ¨ between making the °ÂÁ´ ¾õ¶· ¡Êµ¿¤¤¤ò¡ËÀ²¤é¤¹, and permitting believable and rich web »ÈÍÑ¡¿Å¬ÍÑs to be written.

Any discussion of how the UI should work for the new model has, unfortunately, to take account of history, in the ·ÁÂÖ¡¿Ä´À° of the question "what do we use the lock icon to Âåɽ¤¹¤ë?". There are two main schools of thought here.

The first ¸«²ò¡Ê¤ò¤È¤ë¡Ë is that which says that, in the real world, a lock is all about privacy (in the colloquial sense), and so we should use the lock icon for all SSL ´Ø·¸s which ¶¡µë¤¹¤ë privacy and validation (in their meanings I have used them in this paper). This ´ðËÜŪ¤Ë means that it would be used for all SSL ´Ø·¸s except self-Ä´°õ¤¹¤ëd. The validation UI would then be a separate »Ø¼¨¤¹¤ë¿Í¡Êʪ¡Ë.

The Âå°Æ¡¿ÁªÂò»è ¸«²ò¡Ê¤ò¤È¤ë¡Ë is that the lock is ¸½ºß¡¿°ìÈÌ¤Ë associated in a »ÈÍѼÔ's mind with some level of authentication, even if that's not ¸½ºß¡¿°ìÈÌ¤Ë true in practice. And therefore the lock should appear when some Èó¡¤ÉÔ¡¤Ìµ-̵ authentication level has been reached.

I believe that the first ¸«²ò¡Ê¤ò¤È¤ë¡Ë is ¤è¤ê˾¤Þ¤·¤¤, both ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of making it Ê¿°×¤Ê to define a simple ¾ÃÈñ¼Ô message and ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of ºÇ¾®¸Â change to its ¸½ºß¤Î de facto meaning and the meaning one could assume from its form. I therefore Äó°Æ¤¹¤ë a separate UI for authentication level - with the Äì¡Ê¤ËÆϤ¯¡Ë level ¸ºß ñÆÈ¤Ç the lock, and then Äɲ乤ëing extra symbols as authentication Áý²Ã¤¹¤ës.

The simple symbol most closely associated with money around the world is the dollar Ä´°õ¤¹¤ë, which is the ÄÌ²ß symbol in many countries. This is the best ¸õÊä¼Ô for a À¤³¦Åª¤Ê symbol. Another suggestion is a pile of coins.

For ¾ì½ê¡¿°ÌÃÖs Àܶád over SSL, Firefox ¸½ºß¡¿°ìÈÌ¤Ë shows a domain »Ø¼¨¤¹¤ë¿Í¡Êʪ¡Ë in the status ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È. This is an anti-phishing ¼êÃÊ to ¤ò¼è¤ê°ú¤­¤¹¤ë URL ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È Ê£»¨¤µ, and has the meaning "we are sure that this is the »Ø̾¤¹¤ë of the ¾ì½ê¡¿°ÌÃÖ you are on". This fits very °æ¸Í¡¿ÊÛ¸î»ÎÀÊ with the ³µÇ° of validation, and should be used to Âåɽ¤¹¤ë that.

I would therefore Äó°Æ¤¹¤ë a »Ï¤á¤ë¡¤·è¤á¤ë of UIs something like those given in the diagram to the ¸¢Íø (with ÄļÕs for my poor artistic µ»½Ñs.)

The use of Éղà UI to ¼¨¤¹ authentication level µö¤¹s the ¾ÃÈñ¼Ô message in general to be more a »öÎã¡¿´µ¼Ô of "Hey! Look what browser À½Â¤¶È¼Ôs and CAs have done together to ²þÁ±¤¹¤ë your safety!" rather than "Hey! The lock now means this level of ¿®ÍÑ, but this something else means this other level..."

Simple ¾ÃÈñ¼Ô Message

My suggestion for the Simple ¾ÃÈñ¼Ô Message would be something like (with suitable illustrations or ¡Ê±Ç²è¤Î¡Ë¥Õ¥£¡¼¥È¿ô of the dollar Ä´°õ¤¹¤ë UI) "When cash is at ²Ð·º¡¿ÅÒ¤±¤ë, check for the money! One for shopping, two for banking!". This ¤Æ¤³Æþ¤ì¡¿¼ÚÆþ»ñËÜs the small number of levels, the fact that they are defined in a way »ÈÍѼÔs can understand, and the novel nature of the UI.

Ãî¿â B: Changes Not Recommended

ÄÄÎ󤹤롤ȯ´ø¤¹¤ë of CA »Ø̾¤¹¤ë

It has been ¼¨º¶¤¹¤ëd that the browser show the »Ø̾¤¹¤ë and/or logo of the ¾ÚÌÀ½ñ Åö¶É in the °ÂÁ´ UI. The idea is that this µö¤¹s the »ÈÍÑ¼Ô to make a ºÛȽ¡¿È½ÃÇ as to the °ÂÁ´ of the ´Ø·¸ based upon their knowledge of the ɾȽ of the CA in question. There are a number of excellent arguments against this; I will À©¸Â¤¹¤ë myself to two main ones.

The brandable space ÍøÍѤǤ­¤ë in the UI for such an »Ø¼¨¤¹¤ë¿Í¡Êʪ¡Ë, if it is to be ÄÄÎ󤹤롤ȯ´ø¤¹¤ëd at all times, is probably about 15px high by 100px long - a Éôʬ of the status ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È. There is ´ðËÜŪ¤Ë enough room for the company »Ø̾¤¹¤ë/logo, and little else.

¤Ë¤â¤«¤«¤ï¤é¤º, in order for a "¿®ÍÑ market" to be ÀßΩ¤¹¤ëd, the »ÈÍÑ¼Ô needs an ¶Ëü¤Ë ¿¼¤¤ understanding of CA brands. »ÈÍѼÔs would need to ¹ØÆþ¡Ê¤¹¤ë¡Ë or not ¹ØÆþ¡Ê¤¹¤ë¡Ë based on their ¸«²ò¡Ê¤ò¤È¤ë¡Ë of the ¿®ÍÑ of the CA brand Êݸ¤ëing the ¾ì½ê¡¿°ÌÃÖ. In other words, the ¤Ë°ú¤­Â³¤¤¤Æ ¥·¥Ê¥ê¥ª would need to take place Äê´üŪ¤Ë. A »ÈÍÑ¼Ô visits a web shop, spends half an hour filling up their basket with a number of goods, goes to the °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë checkout and then, on the basis of their perception of the ¿®ÍÑ of the CA who Ä´°õ¤¹¤ëd the cert Êݸ¤ëing the checkout page, abandons that basket of goods and goes and shops ¤É¤³¤«¤è¤½¤Ç. I ¼¨º¶¤¹¤ë that this is ´°Á´¤Ë unrealistic. You are pitting the CA branding ÀßΩ¤¹¤ëd by a small rectangle in the browser UI against the multi-million dollar advertising ¡ÊÁªµó¤Ê¤É¤Î¡Ë±¿Æ°¤ò¤¹¤ës of Gap or IBM, Ï¢¹ç¤µ¤»¤ëd with the »ÈÍѼÔ's ´ê˾¡Ê¤¹¤ë¡Ë for the goods they are about to buy. It's no contest.

Secondly, there are 35 CAs with root ¾ÚÌÀ½ñs in Firefox 1.0, with more in the Îó for later ²òÊü¡Ê¤¹¤ë¡Ës, and 52 in IE on Windows XP. A »ÈÍÑ¼Ô would need to be aware of, and have opinions on the ¿®ÍÑ of all of them. ¤µ¤â¤Ê¤±¤ì¤Ð, what should he be advised to do when Áø¶ø¡Ê¤¹¤ë¡Ëing a ¾ì½ê¡¿°ÌÃÖ °ÂÁ´¤Ê¡¦Êݾڤ¹¤ëd using a ¾ÚÌÀ½ñ from a CA he does not know?

Sensible °ÂÁ´ practice would ¼¨º¶¤¹¤ë "don't use the ¾ì½ê¡¿°ÌÃÖ"; however this advice, if universally followed, would have a Ëܵ¤¤Ç detrimental ±Æ¶Á on the ÎÌ of web ¾¦¶È and, if ¸Ç¼¹¤¹¤ëd with, ¸º¤º¤ë the CA market to a small handful of players with big marketing ͽ»»s. Even in that »öÎã¡¿´µ¼Ô, the value of the total ¾ÚÌÀ½ñ market is probably not ½½Ê¬¤Ê to µö¤¹ CAs to do ¾ÃÈñ¼Ô-oriented marketing in all the countries of the world with Internet Àܶá. On the other ¼êÅϤ¹, the advice "use the ¾ì½ê¡¿°ÌÃÖ anyway" destroys most of the point of the branding in the first place. CAs would have an incentive to make sure their brand and logo was not known!

It's important that °ÂÁ´ UI is stable - that is, it should be the same on every visit to a ¹çˡŪ ¾ì½ê¡¿°ÌÃÖ, and different on any visit to a dodgy ¾ì½ê¡¿°ÌÃÖ. If a CA ¿®ÍÑ market were in Áàºî¡¿¼ê½Ñ, a switch from Just-Gone-Dodgy CA to More-¿®Íê¤Ç¤­¤ë-CA would be a good change (¾ì½ê¡¿°ÌÃÖ ¾º³Êing its °ÂÁ´), but a change in the µÕž¤¹¤ë direction would be a bad change (possible phishing attack). A »ÈÍÑ¼Ô would need very ¿¼¤¤ knowledge of the CA market ¡¼¤¹¤ë¤¿¤á¤Ë distinguish the two changes.

These factors and others together mean that ¸½ºß¤Îing the CA logo in the UI would º®Í𤵤»¤ë the »ÈÍÑ¼Ô far more than it ²þÁ±¤¹¤ëd °ÂÁ´, and ¡ÊÌäÂê¤ò¡Ë¼è¤ê¾å¤²¤ë ¿³ºº¤¹¤ë space that could be used for other, more useful »Ø¼¨¤¹¤ë¿Í¡Êʪ¡Ës.