What do you want from a Certification Authority? Please tell us

How do you want Certification Authorities to protect you? Lets write down all the use cases.

1)ISPs snooping on data
2)User’s want to know that they are where they intended to be
a)either by typing domain in the address bar
b)or clicked on a link to go to domain
3)Companies want to tell end users that they are at the legitimate site the user thinks they are. (eg:Paypal telling users that they are at a Paypal site)
4)Legitimate companies want to tell end users that they are legit entity…(eg: SMB etc…)
5)User’s want to know if its “safe” to interact with the website (big statement)
6)User’s want to be able trust the content they see (eg: having ability to validate VISA logo etc).

What other use case are we missing?

That is an interesting question. The list is also an interesting mix of what users may want and what site owners may want. And who is the user? An educated and interested person, or a less educated (in these matters) and not at all interested person? I think we should focus on the latter.

Site owners may want to have an indicator with their name in it, but do average users care about those indicators? What do studies say? Do they even notice if the connection is secure or not, and do they know how/why it matters?

I do not expect CAs to monitor the content of websites. That is not related to the certificate, and there are other solutions for that, which have nothing to do with the certificate (and most sites still do not have a certificate, and protection is needed there too).

If a CA finds that some of their customers use the their sites to spread malware, for phishing etc, I expect the CA to make sure the domain is blocked by at least Safe Browsing and SmartScreen, ASAP.

I expect CAs to not issue certificates for someone else’s domain (which has happened).

we are trying to focus on what “users” want…
Looking for use cases. Do you have any other use case than the ones listed? If so pls list them.

“users”…because a “connection” is “two way”…there are 2 users of it…one on the browser side…(end user)…and the other is on the server side (site owner user). Therefore any use case for the users pls.

It’s hard to guess what a user (client) wants, because the average user is not at all interested in these matters. Of course they want security, and they probably expect it to work silently for them, without requiring any efforts from the user. A clear message “Stop, malware!”, “Stopp, phishing!”, and no false positives. If there is no such real threat, say nothing.

What the user on the server side wants may be based upon a false image of what users want (care about).

Here is a good read about users (clients) and security: https://www.microsoft.com/en-us/research/publication/so-long-and-no-thanks-for-the-externalities-the-rational-rejection-of-security-advice-by-users/

Section 5 is about certificates. It’s from 2009, so some things have changed, like the introduction of HSTS (Paypal-discussion) and the much increased use of TLS.

i was hoping those “users” are here amongst us and they can identify what they want.

Not the users who need the protection the most.

Because I do not know who all these 160,000 users are registered to our forum, I wasn’t able to make the assumption like you did that they are not the users.

Now that the topic has been filled with irrelevant posts about assumptions, I don’t think we will have any material response to it.

We can now close this topic.

The duty of a CA is to issue certificates in a way they can be trusted in the context of the purpose. That requires a form of reliable identification of the respective parties to tie them to a certificate that represents this trust status. Certificates are not just a technicality. They are the basis upon which trust in a distributed system is build and established, without all entities really knowing each other in real life.

So, I see four major application areas which may need different treatment. The best CA is a more or less invisible one - strictly speaking from the usability standpoint.

  1. Server operators: the painless issuing of TLS certificates in a way that control over a domain implies a right to get a certificate issued (including a way to define SAN certificates). Formats should be suitable for installation into common key stores.

  2. E-Mail certificates: the painless issuing of end-user or application certificates. There may be two levels of certification - one that simply requires the user to have access to the e-mail address for which the certificate is issued (like the free Comodo e-mail S/MIME certificates right now), and one that ties the real-life identity (proven by a passport or other official document) to it. The latter has some implications regarding data protection.

  3. Code-signing certificates: the painless issuing of code-signing certificates to issue software updates. The target group is developers, so the process may be a bit less painless. As this is not a random process, one could require developers (as individuals) or software companies (as entities) to register beforehand, then get certificates issued as necessary.

  4. In the development and testing process, one often needs certificates of the above kinds on a temporary basis. While theoretically, everyone can create such certificates themselves with a few lines of OpenSSL commands, this is not really the path to go for most harmless users, and even experienced users may want to have this process more usable and more easily done. So, I would suggest that apart from an official CA for the purposes given above, there should be a “Test CA” providing the same. However, the Test CA would not be included in the typical lists of trusted CAs in browsers and operating systems. Only on development systems, one would include that CA to permit production-like behaviour.

Regarding the other items from the original list:

a) In no respect, CAs should deal with content or with anything else than certifying identities. That’s not their business. It may be the business of a separate software component (from some vendor) that verifies certificates and warns of discrepancies. That opens the option to have freely-available, open-source components we can trust.

b) The rating of sites, users or entities is not the task of a CA. That would be a rating institution or some form of collaborative effort (as you find, e.g., on stopforumspam.com). The criteria by which a CA issues certificates must be clear and sufficiently strict to IDENTIFY, not to rate. Ratings change. Identities (if properly defined and validated) don’t. So, a CA may use a SPAM/harmful rating of a domain to refuse issuing/extending SSL certificates without further validation. However, what is harmful? Who checks? Who evaluates by which standards?

c) The rating of contents of an individual page is a difficult matter, and it should certainly not be a duty of a CA. Again, CAs deal with identities (connecting physical identities and electronic identities through a suitable process), and a rating of content does not depend on the identity, it also depends on the personal, cultural, social and other forms of background of the respective user. That’s far beyond certification.

As there are plenty of CAs out there already, I believe the features of a new CA must be first and foremost improved usability, and second reduced cost (in comparison to GoDaddy and the other usual suspects). Looking into rating processes should be separate.

–j.