Last month, the CA/Browser Forum announced the creation of a working group that will focus on organizational reform. We welcome the announcement with open arms; the public PKI infrastructure needs more structure, collaboration, and visibility, and the CA/Browser Forum is in the best position to advance the robustness of the infrastructure in the short term.
The PKI infrastructure has been evolving organically for too long, and, because of that, we are today faced with many of its structural cracks. The challenge now for the security community (not just the CA/Browser Forum) is to:
- understand the complexities of the public PKI infrastructure,
- bring all the key stakeholders together,
- establish a system of governance that serves the collective interests,
- realign stakeholders' incentives to make the ecosystem stronger,
- in the short-term, resolve key structural and technical issues,
- maintain an up-to-date threat model and address weaknesses proactively, and,
- in the long-term, evolve the ecosystem to adequately address the real threats.
There is no doubt that a reform is needed; what is not clear is how it will take place. To facilitate the change, the CA/Browser Forum will need to transform substantially, inviting a wide participation as well as embracing openness and transparency. There is already a large number of organizations and individuals working on improving the security of the PKI infrastructure; those efforts need to be streamlined, and the changes orchestrated.
Some of the pressing issues that need to be addressed include the following:
- The large attack surface stemming from a compromise of any one Certificate Authority
- Not enough visibility into the operation of Certificate Authorities
- Insufficiently defined operational requirements and auditing standards
- Lack of reliable control mechanisms and ability to deal with failures
- Low adoption rate of SSL/TLS across all web sites
- Numerous configuration and implementation issues that subvert security in those sites that did adopt SSL/TLS
- Inadequate browser SSL/TLS implementations that do not make security seamless and easy (instead pushing the burden of security onto the shoulders of the end users, who are not in the position to make informed decisions), but still make it difficult for advanced users (who are in the position to make informed decisions) to pursue alternative approaches