Problems with Certificates
In today's typical PKI, CA distribution of X.509-based certificates, several known problems exist. First, perhaps calling them certificates is a misnomer. As the definition implies, a certificate is a document testifying that its subject matter is true and authentic, officially and under the law. As in a Certificate of Birth or Certificate of Deposit, the contents are deemed true, authorized, and sealed; their truth should not be questionable. As the name implies, you would think a digital certificate serving to prove identity and validity would also be considered true beyond a doubt. However, that is not the case, and most CAs even have a disclaimer saying that they are ultimately not responsible for the contents or validity of a certificate. In the end, you are solely responsible for trusting a given certificate. Why then do you choose to trust in a CA when you could do the same thing on your own in a distributed system such as PGP?
Certificates can be faked, stolen, or filled with invalid information. In early 2001, VeriSign was tricked into issuing two digital certificates under the identity of Microsoft. The certificates were issued to people claiming to be from Microsoft. They used the certificates to sign software that would be downloaded into people's Web browsers over the Internet. Because your Web browser trusts all digital certificates signed by VeriSign by default, your browser would immediately download and run the software of these malicious people. The attackers could have the software do anything they wanted, from wiping out your computer to spying on your activities for months to come.
What happens when somebody steals your digital certificate from your computer? After all, it is most likely just a file, and it is up to you to protect and secure it. A thief might get to it in any one of many ways. He could trick you into e-mailing it to him, hack into your computer the old-fashioned way, or set up an evil Web site. The evil Web site might exploit some new vulnerability in your Web browser that lets it read files directly off of your computer. Thanks be to buggy software!
CAs have a big job just managing CRLs. The following problems are typical with CRLs:
Somebody wants to revoke her certificate but hasn't done it yet.
The CRL is not always checked, just like SSL does not check the CRL to validate whether a certificate has been terminated.
Interims of lag time exist between updates. Certificate Authorities typically update their CRLs on a periodic schedule, such as every six hours.
Perhaps, for example, Alice's computer has been broken into. She has no idea if the thief has gotten a hold of her digital certificate but it is entirely possible. She might not think to revoke her certificate, or if she does consider it, she might not know how. The time between when her certificate is compromised and when she actually revokes it from her CA is a dangerous time. This is basically like the time between when somebody has stolen your credit card and you call to have it cancelled. By the time you call to have the card cancelled, the thief could have already maxed it out. Luckily, the law has credit card fraud protection. Unfortunately, you don't have that kind of protection with digital certificates.
When people validate a certificate, they do not always check a CRL to see if it has been revoked. For instance, if you visit an SSL Web site that has a certificate that is signed by multiple CAs, you might go straight to the root CA to validate it. If one of those signing CAs has the certificate on a CRL, you will not know unless you check it, in which case you might establish the SSL session with a bogus certificate.
CRLs cannot be constantly updated. They are typically updated periodically, which could mean once every four hours or once a day. If you tell your CA that you need to revoke your digital certificate, a lag time will occur before your CA updates its CRL for the world to see. During this lag time, people who send you encrypted e-mail can still use your digital certificate's public key. If someone has jeopardized your certificate, he might have access to the e-mail that is being sent to you during this time.
Many privacy concerns are associated with digital certificates in the PKI and CA model of their use. Why don't you just replace all of your loosely scattered ID cards, keys, usernames, and passwords with a single digital certificate? It might make life a lot easier. What if a nationwide (or even worldwide) CA could sign your certificate? As soon as you went online, you could be validated against that CA, which would determine the Internet resources available to you and your privileges with them.
If every Web site you visited, every media file you downloaded, and every e-mail you sent had your digital signature associated with it, that nationwide CA would be able to track your every move through cyberspace. Sure, it would not be as easy to do as it is to imagine, but it is possible. If, over the next few years, you find yourself being asked more and more to provide a digital signature for your daily online transactions, you have a right to be suspicious.
Privacy can be maintained as long as the use of digital signatures is kept optional and voluntary. If it becomes compulsory or mandated, the world of privacy is threatened immediately. Just as the inventory in a grocery store can be tracked as it moves through each register's bar code readers, your life online (and even in the offline world) can be tracked.
In the end, security measures such as digital certificates are just speed bumps on the criminal highway. They make things more difficult, but with time methods of circumventing security are usually found. It can't be guaranteed that the holder of a digital certificate is the actual owner of it. Therefore, you should not blindly trust an e-mail message that is signed by someone who you trust because the CA said the signature is valid. In the end, it is up to each person to decide who is to be trusted.
This can also be illustrated using SSL and digital certificates. Perhaps Bob is visiting https://www.privacydefended.com, or at least, he thinks he is. Some imposter has set up a server to impersonate www.privacydefended.com and has stolen the authentication certificate so that he can use it on his phony Web site. Bob will never know the difference, and visiting this phony www.privacydefended.com Web site, he will probably let his Web browser make the trust decision for him. This type of activity is possible today, where people or computers can steal each other's online identity just by stealing each other's digital certificates.
It is important to realize that a CA can only verify that a particular certificate or signature is valid. A CA cannot verify if the certificate has been stolen, or if a signature has been made by someone other than the original owner of the certificate. This is where our trust in CAs breaks down, and why a distributed system such as PGP's Web of Trust can seem more secure. With the PGP system, you determine the trust based on who signed a public key and when it was signed. I will be more likely to trust a PGP public key signed yesterday by one of my friends who is extremely knowledgeable about technology than I will to trust a public key signed more than a year ago by someone I barely know.