Long before browser vendors decided that the infamous padlock isn’t sufficient anymore for indicating a secure connection, I felt that I’d like to know much more about the certificates websites are using. Until today I either knew if the certificate was issued from one of the root certificates the browser vendor deemed trustworthy enough to be shipped with their software - or not. All I knew was, if the issuer of a certificate is known to the browser or that something else might be wrong. The browser would only show to me the padlock in the lower right corner, ever since the ol’ Netscape days. That was good for the certification authorities and bad for the users.
Lately efforts have been made by various browser vendors to improve the user interface and to give to their users a better indication about a site’s certificate. Also the new and soon-to-be-released version 3 of the Firefox browser will treat certificates very differently then we were used to. The same is true for other browsers and I have the intention to write in a different article more about those improvements. For me however those changes aren’t going far enough in relation about what I want to know about a site and it’s certificate. For example a low-assurance (domain validated) certificate is sufficient for protecting a forum or web log, it isn’t for making a purchase at an online shop. And a highly validated certificate suitable for a major bank is most likely an overkill for the small online vendor - about which I rather prefer to know who the person is, instead some company name which might be gone by tomorrow. In that respect, the newly agreed extended validation (EV) guidelines doesn’t give me all the confidence I prefer. But how shall I know what I want to know when visiting a secured site?
Knowing about certification authorities and their particular practices about the various different types of certificates they issue is a huge task which involves reading multiple documents sometimes hundred of pages long. One must be a professional in PKI in order to understand those documents, have lots of knowledge about this industry, their various standards and audit criterion in order to come to a positive assessment.
Browser vendors traditionally performed this very evaluation of certification authorities according to their own standards, understandings and priorities on behalf of their users. As a matter of fact, I’ve been involved exactly in one of these processes as a community member of Mozilla, by reviewing inclusion request of new CA root certificates for Firefox(*). The relevant criteria for including a new root certificate at Mozilla is the Mozilla CA Policy and each vendor has its own definitions. But obviously only the minimum requirements are evaluated, which themselves might be debatable depending on the vendors criteria. Today this includes also the EV guidelines, which in return gives most users just two different indicators.
Many times when reviewing policies, practice statements and other documents I thought, that this or that information is certainly something many others would be interested to know as well, users of Firefox would appreciate to know about what I know. And what a waste of resources, because all that information is lost once the evaluation has ended and a decision about the particular CA has been taken. Very few individuals are involved in this processes and the knowledge is left with them.
Better Trust™ is supposed to change that in various ways. The primary goal of this effort is to provide the most information possible about certification authorities and their practices in the most transparent and efficient way. The target audience is anybody who cares - including software vendors, certification authorities, subscribers and would-be subscribers, and at last but not least relying parties - the end user. Besides building a comprehensive database about providers, compare and categorized search functions, a Better Trust™ browser extension for the most popular browsers is in planning which should give the user the best indication about a site’s certificate with the least effort.
No policy and criteria has been written yet for Better Trust™ which I intend to define together with the developing community of this project. However I outlined the basic principals for Better Trust™:
- Any CA operating publicly may be evaluated without regard of existing browser status.
- Any CA may be suggested for review by any party.
- Each CA root or their subordinated certificates shall be evaluated according to the same criteria.
- Issuing CA roots and their subordinated CA certificates shall be categorized in four basic levels.
- A points system shall be defined in addition to the basic levels which may influence the overall rating.
- All information and results shall be open to the general public without discrepancy.
For the Better Trust™ software extensions the following applies:
- The basic trust indicator shall not override that of the browser, which means that Better Trust™ doesn’t aim to circumvent the trust anchors built into the software (this implies all CA roots the user decided to trust).
- The extension may alter the additional indicators of the browser with its own UI implementation according to the Better Trust™ criteria.
If you want to download the Better Trust™ extension now or search the database for a particular CA, I have to disappoint you. This project is at the very beginning and it will take a while before being really useful. If you are however interested in contributing towards Better Trust™, being it as an editor of the policy and criteria, volunteer by reviewing and evaluating CAs or as an extension developer, than join one of the mailing lists which are published at the Better Trust™ website. I will lead this project and intend to contribute myself a lot of information based on my previous and future involvement at Mozilla. Join me in this effort, because we are entitled to know everything about our own security in a non-obscure way - lets make sure that nobody gets away!
* Root certificates are actually included in the Network Security Services (NSS) module which is widely used by many applications, including Firefox.