Certificate Authorities and Accountability
June 19, 2006 by PingPhillip Hallam-Baker, Chief Scientist at VeriSign, just gave a talk in which, among other things, he stressed the importance of accountability by certificate authorities. The argument is that users should see not only the logo and name of the sites they’re dealing with, but also the logo and name of the certificate issuer, so the reputation of the issuer is on the line.
I wanted to ask him the following question, but we ran out of time so I’m posting here instead.
I agree with his goal that certificate issuers should be accountable. However, I don’t see how showing the certificate issuer’s logo is going to achieve that. We’ve already seen several certificate authorities issue misleading or incorrect certificates. In a particularly high-profile case, VeriSign issued false certificates in Microsoft’s name. This is a breach of the highest order — it could enable the compromise of nearly every Windows PC on the planet. But the consequences for VeriSign were insignificant. Do most users of Web browsers know they shouldn’t trust VeriSign’s certificates? Probably not. And I don’t think showing logos is going to change this.
Part of the problem is that users don’t really have a choice. Even if they read the news articles about VeriSign’s mistake, they don’t have the option to choose another certificate authority. If you go to Amazon and visit an SSL-protected page, your browser will get Amazon’s certificate, issued by VeriSign. You don’t get to choose any other issuer — there’s only one certificate, and you can take it or leave it. VeriSign now owns so much of the market that choosing not to trust VeriSign isn’t a feasible option anymore. VeriSign has already been trusted by default in most browsers for a long time.
Hallam-Baker wants accountability, but I don’t think his company is anywhere near accountable now and I don’t see it becoming accountable anytime soon.