[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Truth in Advertising

>>>> Peter Williams <peter@verisign.com> 07/01/97 05:49AM >>>
>> Novell's position on this issue is one in favor of Truth in
>> Advertising --
>> certificates (and digital signatures) should contain a statement that
>> specifies what level of computer security rating the platform has, and
>> what
>> cryptographic implementation rating, plus an assertion of what kind of
>> credential verification was performed.
>What do you see as the form?
>take https://www.microsoft.com/ntserver/info/seceval.htm for example.
>Who does one believe, as a consumer? (and the above page is data
>origin authenticated to Microsoft, so they are not bluffing or merely
>puffing their product, at least)
I knew I was going to be walking into a 2x4 on this one, as such a proposal
will require a significant amount of effort to define.  The syntax isn't
difficult, but the semantics will require a lot of discussion. I'm willing
to undertake some of that if there is any support within either PKIX or

First of all, I'd like to note that for a consumer or a CA to make certain
claims regarding his computer/cryptographic security, at least with respect
to a digital signature, is self-limiting or self-sinking.  The higher the
level of security I claim in order to get you to accept my transaction, the
more rope I have tied around my own neck if I later try to claim that my
keys were compromised and attempt to repudiate the transaction.

Second, there is the real-life problem that accreditation takes forever, in
Internet time, and by the time the process is complete the product is often
obsolete. So as a practical necessity we have to include the self-certified
"designed to meet" as well as the formally evaluated products.

Third, the fact that a product is capable of meeting some particular
criteria if it is installed correctly doesn't mean that it always will be. 
So it would be nice to include something about oversight by an accredited
Information Systems Security Professional, or at higher levels of trust, by
an accrediting or sponsoring agency.

Fourth, we need some uniform grading criteria for Certification Practice
Statements for CAs, that something to reduce 80 pages of technical,
administrative, policy, procedures, and legalisms to (hopefully) a
one-dimensional measure of confidence.  Maybe that is a simple reliance
limit -- maybe we should simply put the burden on the insurance company to
define a policy limit, and let them worry about how to mitigate their risks
though audits, technical controls, etc.>
>>Are you suggesting the CA, will decide whether to accredit the
>certification of the product/system rating team, and bear liability
>for the judgement and any remaining vulnerabilities, or residual
>risks due to the evaluation level, or the method of investigation, or
>the competency of the evaluating lab?
There are lots of different things that a CA could do, depending on market
demand.  Especially for high-value transactions, there may very well be a
market for such representations and overview.

We haven't talked much about subordinate CAs, where say a corporate CA is
issued a certificate by someone like VeriSign, who certifies that they are
who they say they are, and then the corporate CA issues certificates to
their employees.  I don't know what VeriSign's position is on this matter,
but in the old days of the RSA Commercial Hierarchy, RSA reserved the right
to come in and audit any CA to whom they issued a certificate, in order to
sustain the public trust.  (They were not quite so forthcoming when I
suggested that tit-for-tat was appropriate, and that the subordinate CAs
ought to have the right to insist on an audit of the root CA.)

In general, the CA is responsible (either directly or indirectly) for
ensuring the accuracy of any statements made in a certificate it signs.  do
I expect them to go though a full-fledged technical audit of everyone who
requests an e-mail, level 1 certificate?  Of course not.

But for level 3, and higher?  I think that is not out of the question, even
if they merely review evidence presented in the course of some kind of
self-assessment, a la ISO 9000.

Does that ring anyone's chimes?