Roosa points out that there are three major flaws in the CA Trust Model:
- Way too many CA providers.
Your browser trust more than 100 by default.
There are over 600 global CA providers.
Some are connected to governments or quasi-governments that you wouldn't want to deal with.
- Even legitimate CA providers have proven themselves incompetent in providing secure transactions.
They poorly configure their digital certificates.
They've issued digital certificates without checking if the entity requesting it is legitimate.
- Any of the CA providers can issue bogus, yet technically valid digital certificates to any website.
In other words, a crafty hacker could be issued a legitimate digital certificate for a legitimate bank, even though the hacker has no relationship with the bank.
With all of these issues surrounding how secured, encrypted communications on the web, Roosa advice for General Counsels is that they work along side their IT departments to make sure that they do not leave themselves open for "phishing" or "man in the middle" types of attacks that can come from untrustworthy CA providers:
As an initial matter, it is important for General Counsel to determine which outside organizations can be trusted with the security of the organization. Although the IT department should certainly be involved as well, it is a task that is most appropriate for General Counsel because it requires legal and investigative resources to: assess the criminal and regulatory background of the CAs, analyze affiliations with state actors and quasi-governmental entities, and determine the governing law that controls the CAs' conduct. The goal is for the organization to configure its browser platform so as to trust as few CAs as possible, and to "untrust" those CAs deemed to be unnecessary or untrustworthy. Additionally, the IT department may wish to explore the use of various plug-ins and software add-ons to assist in the detection of CA irregularities and CA-based attacks. Finally, businesses can also engage a CA in dialogue regarding the CA's practices, both with respect to adherence to best practices, and also to address the issue of whether, or to what extent, the CA trusts other CAs.Seems like solid advice. I'm wondering how many GC's will actually follow this advice and work along side their CIO's to identify which CA providers are trustworthy and which are not remains to be seen. I'd suggest that CIO's need to send a copy of Roosa's article over to their GC's to stress the importance of working together on this one.