As a security guy with a background in authentication systems I get involved in discussions around the use of X.509 certificates regularly, two of the most common problems I run into in this regard are:
· Misguided attempts to bypass or dynamically provision root trust.
· The misconception that X.509 certificates require hierarchical trust.
The topic of dynamic provisioning of the root of trust is a topic worthy of its own post, several probably the top line message one should understand in this regard is that trust is transitive, this means that one cannot without prior context establish if a abstract object like a certificate is authentic or trustworthy (note to self: I should also at some point do a post talking about what trust means and more importantly what it doesnt mean).
What I wanted to talk about today was the second problem, specifically the miss-conception that X.509 certificates require a hierarchical trust and that certificates that are issued by a third-party are somehow inherently more trustworthy than those certificates issued by ourselves or those issued directly by resources or people we directly trust.
To the first part of this, X.509 data structure has the concept of a “issuer” and a “subject”; think of the issuer as being the Department Of Motor Vehicles (DMV) and subject being you; although RFC 3280 defines a hierarchical model for validating these certificates it does not mandate that one be used; in fact there are many cases where the use of a hierarchical trust model just doesn’t make sense, for example:
Self Trust – It is reasonable for me to use X.509 certificates to encrypt/sign data to myself, in cases like this it is not necessary for me to go to a commercial certificate issuer and prove my identity to them so they can issue me a certificate that tells me I am me.
Peer Trust – It is reasonable for me to use X.509 certificates to encrypt/sign data to my peers, for example my wife does not care what my name on my driver’s license is, she like my friends has never asked me to present my drivers license before having a conversation with me.
If there are cases where the use of a hierarchical trust model doesn’t make sense when is the use of such a approach appropriate?
Large communities – Managing direct (self/peer) trust is not free, it only works in situations where you are already share sufficient context with the relying party (the person who makes a decision based on your position of the private key associated with a certificate) to make a quality decision. More over, its only practical when you maintain a few trust relationships because at some point you reach a situation where the number of entities you need to manage the trust relationships with becomes so large direct trust is just impractical.
Distributed communities – Quality context for trust decisions generally require a physical relationship of some sort, the other day I was watching a Dateline expose on Identity Theft, the angle they were exploring was identity thieves establishing relationships (fake) with us citizens so that they could use their addresses as drop spots for goods purchased with stolen credit cards; these people actually believed (as a function of months of communication) that they were going to marry these people, without meeting a person or entity in the physical world you must rely on someone else to do that for you otherwise you can be fooled.
High risk communities – Issuers require their subscribers to use certain practices to manage their key material, and limit what the certificates they issue are good for based on the needs of a subscriber, this combined with the indemnification offered by issuers to relying parties (value here is questionable given how these indemnification policies work) help mitigate some of the risk associated with transactions in these high risk communities.
The core problem with self trust and peer trust in X.509 is that no one has built a reasonable user experience for X.509 that allows for this to be deployed broadly; PGP has a OK one for PGP certificates (they might as well be X.509 certificates) InfoCard has built some of this for their identity assertions but it just has not happened yet for X.509 certificates.
In general when it comes to server communities and certificates I tell folks if you are servicing a small community of users, have deployed active directory or some other mechanism that allows for you to bootstrap the direct trust and have less than 5 servers that need X.509 certificates just use self signed certificates (after all that’s all a CA is).
I should also note one of the benefits of using a hierarchical model in the case of the Microsoft CA is that Windows clients and servers have been integrated with the Microsoft CA to facilitate automatic credential lifecycle management; in other words if you use the auto-enrollment feature clients and servers will get new certificates automatically without you needing to do anything, in the case of self signed certificates this is something you must do (this is a big part of the direct trust scalability problem).