Author Archives: iang

About iang

Contrarianism rocks! Security for the members. Help yourselves, coz no-one else will. Must be time for a cup of tea.

Google on improving certificate security

Benl writes: Improving SSL certificate security

Friday, April 1, 2011 9:05 AM Posted by Ben Laurie, Google Security Team

In the wake of the recent [incident], there has been a great deal of speculation about how to improve the public key infrastructure, on which the security of the Internet rests. Unfortunately, this isn’t a problem that will be fixed overnight. Luckily, however, [engineers] have long known about these issues and have been devising solutions for some time.

Given the current interest it seems like a good time to talk about two projects in which Google is engaged.

The first is the Google Certificate Catalog. Google’s web crawlers scan the web on a regular basis in order to provide our search and other services. In the process, we also keep a record of all the SSL certificates we see. The Google Certificate Catalog is a database of all of those certificates, published in DNS. So, for example, if you wanted to see what we think of https://www.google.com/’s certificate, you could do this:

[tech details snipped]

The second initiative to discuss is the DANE Working Group at the IETF. DANE stands for DNS-based Authentication of Named Entities. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn’t consistent with the DANE records, it should be treated with suspicion. Related to the DANE effort is the individually contributed CAA record, which predates the DANE WG and provides similar functionality.

[caveats snipped]

Improving the public key infrastructure of the web is a big task and one that’s going to require the cooperation of many parties to be widely effective. We hope these projects will help point us in the right direction.

ATE-Brisbane

ATE-Brisbane is happening! Francois has scheduled us into Linux Conference Australia’s annual bash in Brisbane‘s QUT Garden Point Campus. We will host an ATE on afternoon of 24th January. More details on the wiki.

I will attend ATE-Brisbane! Registration is essential as you won’t be able to get in.

For those who can’t make the afternoon timeslot, I’ll be available on Sunday evening. Mail as above if you want an additional ATE or just assurances & help.

The ATE or Assurer Training Event is exceptionally recommended for all Assurers, and include parts which contribute directly to our audit. Come and find out how you can also contribute. Please RSVP as above.

Other events in Oz are welcome! Mail us with suggestions (use the RSVP above). Note the board has earmarked funds to get us to Melbourne and Brisbane, and also some travel budget to other NSW locations (Wollongong and Newcastle, but hey, there are other places)! If you can offer us a venue, we’re interested!

ATE-Melbourne

ATE-Melbourne is locked in! Nathan is making available a training room at Readify’s Melbourne, Docklands location. We will host an ATE on evening of 16th December, 6:00pm. More details on the wiki.

I will attend ATE-Melbourne!

The ATE or Assurer Training Event is exceptionally recommended for all Assurers, and include parts which contribute directly to our audit. Come and find out how you can also contribute. Please RSVP as above.

Other events in Oz are welcome! Mail me with suggestions (use the RSVP above). Note the board has earmarked funds to get us to Melbourne and Brisbane, and also some travel budget to other NSW locations (Wollongong and Newcastle, but hey, there are other places)! If you can offer us a venue, we’re interested!

Stop press! Our count of Assurers just hit 4000 :-) Congrats to the Assurance team and all who have mastered the Assurer Challenge. Be warned, tougher challenges are coming :P

Licensing our Documentation under CC-by-sa+DRP

Hi all, and contributors of documentation!

We are now at the point of licensing our documents. As some of you may have noticed, we have now licensed the Policies under Creative Commons – attribution – share alike licence, with our DRP [1]. Or CC-by-sa+DRP for short [2].

The Board is intending to do the same thing with our other documentation: CC-by-sa+DRP.

If you’re fine with this, say YAY TEAM, and read no further :)

Some notes on what this means:

  1. In broad terms the chosen licence is like GPL but for documents not source code.
  2. Documents are contributed under CCA 1.3 which includes this broad grant from you to CAcert Inc.:

    1.3 Your Contributions

    You agree to a non-exclusive non-restrictive non-revokable transfer of Licence to CAcert Inc. for your contributions. That is, if you post an idea or comment on a CAcert forum, or email it to other Members, your work can be used freely by the Community for CAcert purposes, including placing under CAcert Inc.’s licences for wider publication.

    You retain authorship rights, and the rights to also transfer non-exclusive rights to other parties. That is, you can still use your ideas and contributions outside the Community.
    ….

  3. At first glance, that clause CCA 1.3 looks quite fierce. There are a couple of reasons for such a complete and blanket transfer.
    1. It has been our experience that people have made contributions, and withheld transfer, preferring instead to control the results by means of copyright rights. This has put the Board, the Policy Group and the critical teams in a difficult position at times. The people making the contributions have often been thinking with all good intentions, but results of those intentions have been at least unpredictable and sometimes very costly.
    2. Secondly, it is possible that people with bad intentions could insert documents of uncertain background, and then stir up trouble later [3]. We do live in a competitive environment, and a competitor could cause this to happen. So the CCA includes a broad grant that addresses that.
    3. Thirdly, it would take an entire team to resolve the copyright mess if we didn’t have a broad grant. We’d have to have people running after every document, every post, every idea. It’s just uneconomic, and most of the contributors would not fill out the forms and return them anyway. We’ve got better things to do without creating work for ourselves following the tired old dreams of some 20th century colonialist music empire for the collection of royalties from poor starving artists.
  4. The grant is broad about what documents belong. Primarily we’d expect that to include the wiki, the SVN, the doco pages on the main website, email / list forums etc. These would all be “forums” under the above text. The point is it’s broad, inclusive. If there is any difficulty about this, then the intention is to use our Arbitration to solve the bits we missed.
  5. The quid pro quo for all of this is that CAcert Inc, now the proud owner of lots of documentation, license it back to the community. That’s today’s job.

So this email is going out to all the team leaders and so forth, from the Board, to ask for your thoughts, comments, desires, responses on the issue. What do you think? More thought required? Or full-steam-ahead? Somewhere in between? [4]

iang, informally for and from Board [5].

[1] There are some technicalities. We are adding to this by resolving all disputes in our own forum. We do this by means of the single licensing line in the document itself which now looks like: CC-by-sa+DRP. The motive for this is that our Arbitration works well across the planet, and is cheaper. It’s the same motivation for Arbitration with anything else, we protect all the members better this way.

[2] Also, we are using the Australian licence, 3.0 version, so the fuller acronym would add -AU-3.0. It is customary to not add those details. The various 3.0 licences are meant to be complementary (documents can work together under different 3.0 licences from different countries.

[3] This has been reported in the IETF groups, mostly with “submarine patents,” as a game between competitors.

[4] If you’ve got this far :) Let me take this moment to conduct a quick survey: who feels more comfortable with the spelling of the word as licence, and who feels more comfortable with license?

For the noun form, the word is /licence/ in Anglo spelling, and /license/ in American spelling. The reason it is confusing is that in Anglo-english, the *verb* form uses S like licensing, licensed not C like licence. The American form then is far simpler, using S all the time, and as expected. The Anglo form is confusing … Note the RDL retained the American form :)

Anglo in this context means A/NZ/UK, I’m not sure about countries such as India, Pakistan, Singapore, Honk Kong and other strong users of English. Europe generally adopts British English, but I’d be surprised if they have avoided this confusion! Note that the answer to this question may feed into a wider question…

[5] which means, there is no Board motion as yet. There is board discussion minuted at:

https://wiki.cacert.org/Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20101003#a2.3

ATE-Canberra

ATE-Canberra is programmed! Ben has confirmed that Canberra’s PCUG will host an ATE on evening of 12th October, 7:00pm. More details on the wiki.

I will attend ATE-Canberra!

The ATE or Assurer Training Event is exceptionally recommended for all Assurers, and include parts which contribute directly to our audit. Come and find out how you can also contribute. Please RSVP as above.

Other events in Oz coming; or mail me with suggestions (use the RSVP above). Note the board has earmarked funds to get us to Melbourne and Brisbane! If we can find a venue there, we’re on a plane! Also, we’re thinking about Wollongong, Newcastle, etc.

SP to DRAFT — marks the milestone in Policy!

This weekend, the Security Policy goes into DRAFT. We’ve battled and we’ve won: consensus has erupted in policy group. Not only do we get our Security Policy, but SP going to DRAFT marks a major milestone for CAcert:

We now have a complete set of policies for audit !

We’ve been close before, but never the cigar. In early 2009, some audit work was done, but with gaps: the CPS and the “index” were missing. The CPS came into DRAFT in June 2009, it was close enough at the time. The “index” is called the Configuration-Control Specification (CCS), which is a rather clumsy name for such a simple thing. CCS is a list to all the assets that have to be audited, so it’s worth a little attention. The structure more or less looks like this:

Audit => Criteria (we call them DRC) => CCS (the index)

Then, with CCS in hand, the Auditor can find the parts needed:

                     --> Policies
                   /
       CCS ==----> critical systems
                   \
                     --> roles in control, etc

CCS was the missing link. Luckily the index CCS is relatively easy to write, if all the other policies and systems are clear, and this also means it was doomed to always be last, once the other policies were clear. A month back policy group pushed it through, we brought the CCS finally into its place as a (DRAFT) binding policy.

Which should have been the completion of our policy set for audit, but as CCS was finishing, the Board of CAcert Inc decided to veto the Security Policy, as they can under the rules (PoP 4.6). Now, much has been written about this drama in the maillists, and the debate did raise some serious questions at the time, but they can be left for another day. This week, then we in policy group are taking Security Policy back to DRAFT. Has anything changed? Here are the major points of change:

  1. The part about the Board Members having a background check has been removed. This was reasonable, as, on the whole, the ABC process is too clumsy for the Board, and the Board now has its own requirements to deal with conflicts of interest, courtesy of the new Associations Act 2009.
  2. Application Engineer is removed, and that capability is returned to the Systems Adminstration team leader. T/L can bring in a Software Assessor any time he needs one, and take on that risk, etc.
  3. One non-difference is that SP was still binding on the critical roles, because they accept the SP as their binding document when they are appointed. This is part of the process, as documented in Security Manual. The reason for this is that, under the principles of data protection, anyone who can access the data needs a special agreement, and in CAcert, the SP is that agreement.
  4. Meanwhile, SP goes back to being binding on the Community. Why would the Community need to be bound to Security Policy, when they can’t do anything wrong anyway? Well, because there are always errors, holes, bugs, omissions and short cuts. In any process! So, while we should fix these omissions, it helps to have the big stick of policy to wield as well. Just because you find a software bug doesn’t mean you can exploit it, and just because you have a title like “auditor” doesn’t mean you can stare at the private root key. We all have wider obligations, and SP is one of them.

Other than tighter wording, etc, that’s it. Welcome to our complete Policy set!

Which final comment brings us to the success of CAcert’s Policy project. It was 5 calendar years in the making, starting off with Christian’s original CPS, and it cost many Member-Years of effort. Some examples: The SP was probably a Member-Year of effort. The CPS is likely equal, the agreements and foundations (CCA, DRP, PoP, etc) another huge lump. I said CCS was an easy one to write, but “easy” still runs to around a Member-Month of effort. PoJAM, similar.

If we think how much a commercial company pays for a Member-Year of effort (100k, plus or minus), that’s a serious investment.

Thank your policy group, and help out with reading and voting!

35 decisions, 13 policies to DRAFT and beyond, 55 contributors. Here’s the top ten, a Hall of Fame, collected a wiki-scraping script I wrote last night:

Name # Decisions
Tomáš 10 p20100510,p20100426,p20100401,p20100119,p20100113,p20091108,p20091106,p20090706,p20090327,p20081016
Faramir 10 p20100510,p20100426,p20100401,p20100326,p20100120,p20100119,p20100113,p20091106,p20090706,p20090327
Lambert 10 p20100426,p20100401,p20100326,p20100113,p20091108,p20091106,p20090706,p20090327,p20090105.1,p20081016
Philipp D 9 p20100510,p20100426,p20100401,p20100113,p20091106,p20090706,p20090327,p20090105.1,p20081016
Pieter 8 p20100510,p20100426,p20100401,p20100306,p20100120,p20100113,p20091106,p20090327
Iang 8 p20100510,p20100426,p20100306,p20100120,p20100119,p20100113,p20091106,p20090706
Ulrich 7 p20100510,p20100426,p20100401,p20100326,p20100306,p20100120,p20100119
Ted 7 p20100510,p20100120,p20100119,p20100113,p20091106,p20090706,p20081016
Brian 7 p20100510,p20100426,p20100401,p20100119,p20091108,p20091106,p20090706
Morten 6 p20100510,p20100426,p20100306,p20100120,p20100119,p20100113

(That’s not a formal result, and it only counts voters from the last 2 years, many others did other things that are harder to measure.)

We now have a set of policies that not only deals with the criteria of the Audit (DRC), not only removes that critical path blockage of documentation for audit, but also presents the only honest, fair, presentable and sustainable policy set in the entire business. In my humble opinion.

This is a set of documents everyone can be proud of. On this foundation we can build. We can, for our Members, create business of real value, not just issue certificates that defy valuation to people who don’t understand their need.

Now, on to implementation and audit. Questions about the audit are questions about implementation, so don’t forget:

Do not ask when your audit is done, rather, ask how you, yourself, are doing your audit!

And now, you’ve got the full policy set, so you know what the Auditor is going to be looking for ;-)

scheduled systems downtime – 15th June

Wytze reports on a planned outage for CAcert main systems, as the systems are moved from one rack to another:

“The move has been scheduled for Tuesday June 15, starting at 10:00 CEST, and hopefully ending before 18:00 CEST.

During a significant part of that period, all systems will be down. We will take care of providing a backup during the outage for ocsp.cacert.org (to avoid inconveniencing browser users which have OCSP enabled for CAcert, as they should!), and a placeholder for www.cacert.org which report the downtime and the reason for it.”

What’s this ATE thing then???

You have probably seen messages flying around about the ATEs, or Assurer Training Events, and you’re probably wondering whether it applies to you. The answer is:

YES, most definately, if you are an Assurer.

This is your event, to update and to participate. More than that, it feeds into audit. This connection may be a little non-obvious, so this post is about explaining it to those wavering on their path to an ATE near them as to why you should help.

Recall that CAcert has today 3460 (and growing) Assurers around the world, and that they provide the critical information feeding into the certificates for the entire community.

That line — from Community Member to verification of information to the certificate — is of key interest to the Auditor. The certificate part is well-understood but what is less well understood is the verification part. How does the Auditor verify the actions of 3460 people spread across dozens of countries? Are they doing the job? Looking after Members? Mostly harmless or causing risks to rise?

Assurers mostly harmless?Verifying the Assurers across the planet is a challenge we must conquer, because our audit criteria says “A.2.y The CP details how the CA verifies that [Assurers] operate in accord with the CA’s policies.” Indeed, the auditor for a big famous-name CA simply declined to audit their web of trust, and the CA found it in its heart to drop the entire thing.

But it can be done. As auditor, I visited around 8 countries in 2009 for a tiny budget of €1500 and verified personally around 80 Assurers. The German community did a similar thing across Germany, and together these results gave us a good showing. It was still marginal; we need better and broader coverage. We need scaleability and we needed process, but we had our start.

From the 2009 experiment, the Assurance Team has designed a comprehensive programme to meet the audit criteria A.2.y, and the ATE is the leading part of that. At the Assurer Training Event, you the Assurer are brought up to date with changes (dramatic), informed on essential checks (of course) and then we individually record that process (carefully and slowly). All this is then collated and prepared for an end-of-season report.

The 2010 season is now underway. If you want to help CAcert’s audit process and improve on the results below, you should look out for an ATE near you. Who wouldn’t want to be involved??? Better yet, ask at events@c.o for how to run one.

2009 results

ATE-Sydney

ATE-Sydney is programmed! Masa has made available a lecture theatre at Sydney University’s IT school for an ATE on evening of 24th March, 6:00pm. More details on the wiki.

I will attend ATE-Sydney!

The ATE or Assurer Training Event is exceptionally recommended for all Assurers, and include parts which contribute directly to our audit. Come and find out how you can also contribute. Please RSVP as above.

Other events in NSW coming soon, or mail me with suggestions.

ate-OZ

I’m in the vicinity of Canberra – Sydney for next 2 months, and looking to do ATEs. If you have some sort of venue or facility, and there are Assurers in your area, let me know.

Additions: Sydney is rolling…

iang @ the normal address, for the Assurance Team.