Gmail and SSL

Jimmy Hess mysidia at
Thu Jan 3 03:02:00 UTC 2013

On 1/2/13, Steven Bellovin <smb at> wrote:
It's ashame they've stuck with a hardcoded list of "Acceptable CAs"
for certain certificates; that would be very difficult to update. The
major banks, Facebook, Hotmail, etc,   possibly have not made a
promise to anyone,  that all their future new renewal certificates
will be from a specific CA;   would be more interesting, if the Chrome
devs provided for a mechanism  for making a remote query or receiving
a digitally signed "PINned cert list" download,  that could be updated
 dynamically,   /and/  provided policy and mechanisms to have sites
included in the list.

One of the broken things about X500,  is a certificate can only have
one signature.
The trust could be strengthened,  if  there were a mechanism allowing
multiple 3rd party attestations to be made  (eg  PGP-like  multiple
signatures), or

a browser could be configured to only accept a certificate, if  BOTH
   (i)  Signed by a CA,   and

   (ii) The certificate's information, or the CA information for the
cert is published in a 3rd party corroborating database,   that  also
requires proof of ID/authorization to publish in that DB.

  (iii)  And the server does the work of querying the 3rd party
databases listed by the client, by sending the CA ID, Certificate ID,
through a query to some standardized URL format, and returns the
timestamped digitally signed result  (query answer, or affirmative
proof of no entry in the DB), during authentication, together with the

Depending on the authenticating browser's config, a domain not found
in the 3rd party corroborating datasources,   or listed by the 3rd
party source  with an attestation level of "Only domain control
validated",  might result in the CA's signature being ignored.

That is: the browser (or the user)  should pick how strong  the
certificate has to be, depending on the kind of business they will be
executing over the SSL channel.

CA's  could later become required to check at least 2 3rd party
databases,  to ensure any prior certificate issued by another CA was
actually revoked or expired, before allowing the signing of a new

> Thanks.  The list is longer, but with the exception of Twitter (and possibly
> intuit -- a subdomain
> is shown), not a lot more interesting.  I don't see major banks, I don't see
> Facebook or Hotmail,
> I don't see the big CAs, etc.

> 		--Steve Bellovin,

More information about the NANOG mailing list