Blog

Truth in Web Digital Identity?

February 9, 2020

Most of us, when we go to a website and see the little lock at the top of the browser, don’t think twice and trust that we are communicating with the right company or organization. However, this is no longer the case because of a rather radical development that has largely occurred without notice or intervention by almost everyone. The web now has its own rapidly spreading version of CallerID spoofing that is about to get worse.

Thirty-five years ago, the National Security Agency working with the private sector, developed what has proven the most important and widely used means for digital identity trust. It is known as the Public Key Infrastructure digital certificate or “PKI cert” for short and was specified in a global intergovernmental standard known as ITU-T X.509.

The idea was simple. Any organization that wants to be trusted goes to a special provider known as a public Certificate Authority (CA) who is supposed to verify certain essential identity basics, and then issue a unique, encrypted key — the PKI cert — to the organization with its identity information securely contained. The platform was approved by all the world’s governments and became the basis for trusted digital identity globally. Europe added further trust features through an ETSI Electronic Signatures and Infrastructures standards group.

Then came the World Wide Web with sites all over the world as a kind of universal user interface to billions of people. The problem was that users couldn’t trust who was actually running the websites. So a little over ten years ago, the five companies which produce most of the world’s web browsers got together with most of the CAs to develop a standard for vetting organization identity for trusted website certificates and display that information in a little lock icon that appears at the top of the browser. They collaborate and reach agreements through an organization known as the CA/Browser Forum. The activity has very far-reaching, fundamental cybersecurity consequences as they control who gets trusted, how verification occurs, and how that trust is provided to billions of users around the world.

Until relatively recently, as required by well-established global standards and practices, the PKI certs had some substantial vetting of an organization’s identity, which was then coded into the certificates and displayed to end-users in the browser lock. There was even a high trust certificated known as an “extended validation certificate” that turned the locked green in most browsers and displayed the validated name.

However, starting in 2013, several parties started up a 501(c)(3) non-profit corporation in Silicon Valley (Internet Security Research Group) to dramatically disrupt the digital identity world by issuing free, zero-trust, instant certificates with no organization identity vetting. These so-called Domain Certificates were then marketed commercially beginning in 2016 under the registered trademark Let’s Encrypt® and browser vendors were asked to recognize them as a trusted CA. If you see one of these Let’s Encrypt certificates (identified as “DST Root CA X3) and click on the lock, the Subject Organization identity information is completely missing and simply says “unknown.” It is caveat emptor.

The tactic proved enormously successful as the organization itself described in a highly detailed, tell-all paper presented in a London conference made public last December. As they note in the paper, it “has grown to become the world’s largest HTTPS CA… and by January 2019, it had issued over 538 million certificates…” The paper also documents how Let’s Encrypt has had a profound effect on the CA market — now dominating it with 57% of the certificates. “Let’s Encrypt has seen rapidly growing adoption among top million sites since its launch, while most other CAs have not.” They also describe how they used the Internet Engineering Task Force (IETF) to leverage their activities. The commercial opportunity was further facilitated through sponsors who make tax-exempt contributions to the organization’s $3.5 million reported 2018 income – some of whom then market the certificates as part of their business offerings.

The paper also admits that “important security challenges remain.” The cybersecurity impacts arise — because, with zero validation, anyone with interest in spoofing, hiding their identity, or otherwise exploiting security flaws can do so — and indeed have.

Legal and public policy concerns

Although Let’s Encrypt has a small section in its December paper describing the “legal environment,” it doesn’t even begin to treat the major national security, public policy, public safety, antitrust, tort liability, law enforcement, IRS, consumer protection dimensions that have gone with virtually no notice or discussion. Perhaps the most central concern can be summed up by four questions: who gets to decide who is trusted, with what level of vetting, with what manner of notice to end-users, and who bears the consequences.

The challenge of digital identity trust was largely solved 35 years ago through a comprehensive, visionary Reagan Administration initiative known as Secure Data Network Systems (SDNS) that in fact was responsible for today’s X.509 PKI environment. However, all the required public-private administrative and identity vetting actions necessary to successfully implement the platform were eliminated a decade later by the Clinton-Gore Administration in the belief that Silicon-Valley itself could handle everything and grow the information economy.

As a result, we have inherited today a world of rampant cybersecurity and societal problems stemming from an inability to trust anything online, and where some of the most important identity trust decisions for most of the world’s population are made by a handful of firms and organizations with no oversight or control or consequences. It seems long overdue for a concerted global public-private effort to significantly improve digital identity trust for the web and all the giga-objects and services that will constitute the new 5G virtualized communications ecosystem. Potential sweeteners for Silicon Valley with government involvement is the relief from the potentially enormous antitrust, consumer protection, and tort liability consequences.