Whilst PKI has proved invaluable in promoting the idea of trust, for example in the huge shift to eCommerce - lead by companies such as Amazon and eBay - anyone with a security background will have touched on the issue of trust anchors at some point, only to be left with uncomfortable feeling of something not entirely resolved.
The current situation is far from ideal, and has led to a number of ‘hacks’: such as ‘Balkanising’ (or localising) the web, blacklisting or filtering untrusted CAs, and certificate or public key pinning. Essentially these methods all restrict the scope of trust in the certificate chain. In localising the web, clients may be configured to trust only CAs from their own nation for example, or filter out specific CA issuers. There are several problems with these approaches, but fundamentally we have not solved the trust problem, just limited the scope of control, and potentially compromised agility and availability in the process.
Certificate (or public key) pinning is a useful method to ‘pin’ (or ‘fix’) cryptographic identities over a period of time, to reduce the risk of rogue CAs, MITM attack (or even ‘legitimate’ SSL interception). In essence pinning means hard-coding a server’s trusted certificate within a client: for example by pinning the certificate itself, (removing the need to trust the CA) or pinning the CA certificate used to sign the server’s certificate (limiting trust to certificates signed by a fixed set of CAs for example). Pinning is now commonly used to secure mobile messaging ‘Apps’, and for web-based services and browsers (e.g. Chrome 13 for Google services).
HPKP proposes to standardise pinning, enabling a web host to inform clients (e.g. browsers) to always expect at least 1 of a set of public keys in a server’s X.509 certificate chain; else reject the chain. This enables a web site to limit the number of trusted authorities that can authenticate the domain for the lifetime of the pin. So, whilst HPKP does certainly assist in improving trust, it ultimately fails to solve the problem, because there is simply no proof, since any certificate chain has the potential to be compromised regardless of how narrow the scope. For a candid summary of issues with PKI see Peter Gutmann’s breakdown. Then we are left with a deeper problem, in that PKI itself is not quantum immune, and there have been significant advances in recent year in building the components needed for quantum machines. If we are relying heavily on PKI to protect our assets, we really should be changing how we think, focusing on a data-centric view outwards, rather than assuming layered security is protecting those assets. Consider also that when we talk about asset integrity we need to think about all those email, log, personal, and call records held in long term storage.
So this leaves us still with a question: how might we maintain the integrity of Internet assets, at rest or in transit, beyond any doubt, and how do we know if and when these assets are compromised?More specifically, how do we do this in a way that:
- does not rely on a central authority,
- is publicly open to interrogation for proof,
- with that proof defined by mathematical rigor,
- is quantum immune, and
- can operate at serious scale.