Ben Laurie blathering

Lessons Not Learned

Anyone who has not had their head under a rock knows about the DigiNotar fiasco.

And those who’ve been paying attention will also know that DigiNotar’s failure is only the most recent in a long series of proofs of what we’ve known for a long time: Certificate Authorities are nothing but a money-making scam. They provide us with no protection whatsoever.

So imagine how delighted I am that we’ve learnt the lessons here (not!) and are now proceeding with an even less-likely-to-succeed plan using OpenID. Well, the US is.

If the plan works, consumers who opt in might soon be able to choose among trusted third parties — such as banks, technology companies or cellphone service providers — that could verify certain personal information about them and issue them secure credentials to use in online transactions.

Does this sound familiar? Rather like “websites that opt in can choose among trusted third parties – Certificate Authorities – that can verify certain information about them and issue them secure credentials to use in online transactions”, perhaps? We’ve seen how well that works. And this time there’s not even a small number of vendors (i.e. the browser vendors) who can remove a “trusted third party” who turns out not to be trustworthy. This time you have to persuade everyone in the world who might rely on the untrusted third party to remove them from their list. Good luck with that (good luck with even finding out who they are).

What is particularly poignant about this article is that even though it’s title is “Online ID Verification Plan Carries Risks” the risks we are supposed to be concerned about are mostly privacy risks, for example

people may not want the banks they might use as their authenticators to know which government sites they visit


the government would need new privacy laws or regulations to prohibit identity verifiers from selling user data or sharing it with law enforcement officials without a warrant.

Towards the end, if anyone gets there, is a small mention of some security risk

Carrying around cyber IDs seems even riskier than Social Security cards, Mr. Titus says, because they could let people complete even bigger transactions, like buying a house online. “What happens when you leave your phone at a bar?” he asks. “Could someone take it and use it to commit a form of hyper identity theft?”

Dude! If only the risk were that easy to manage! The real problem comes when someone sets up an account as you with one of these “banks, technology companies or cellphone service providers” (note that CAs are technology companies). Then you are going to get your ass kicked, and you won’t even know who issued the faulty credential or how to stop it.

And, by the way, don’t be fooled by the favourite get-out-of-jail-free clause beloved by policymakers and spammers alike, “opt in”. It won’t matter whether you opt in or not, because the proof you’ve opted in will be down to these “trusted” third parties. And the guy stealing your identity will have no compunction about that particular claim.


  1. Does this sound familiar?

    It does, but an important (or at least interesting) difference my lie buried under the familiar surface. If consumers choose the third party and service providers rely on the credentials issued by various third parties, the trust relationships change compared to what we are familiar with from SSL. With SSL, the burden of trust is with the users; with OpenID it seems tho shift to the service providers. I suspect this may change the security economics, for the worse or for the better.

    Comment by Sven Türpe — 19 Sep 2011 @ 16:45

  2. Unfortunately, the US can’t just use a single CA because of “big brother” scaremongering.

    Comment by Wes Felter — 19 Sep 2011 @ 17:19

  3. Aren’t you collaborating with Comodo, a CA, on PKIX CAA? Do you think that will fix it? DANE looks like a much more general solution, and I don’t trust Comodo to do anything but further their commercial interests. Plus, CAA doesn’t mandate DNSSEC authentication.

    Comment by kosh — 8 Oct 2011 @ 12:13

  4. “Nothing but money-making..”

    What exactly is wrong with wanting to just make money, then?

    Comment by Anonymous — 18 Oct 2011 @ 9:23

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress