Obama's manifesto on technology gives hope for a global effort to establish the trust needed to secure the PKI.
From an IS perspective, President Obama's manifesto on technology is interesting. It's unusual to see something as specific as a mention of “phishing” in such a high-level policy document. This is in the “individual's right to privacy” section – alongside the commitment to increase the Federal Trade Commission's (FTC) budget, to step up international co-operation to track down cybercriminals.
This will be seen by some as the start of “big government” muscling in on the free and unrestricted internet, jarring with Obama's other objective of protecting the “openness of the internet”.
It is easy to forget just how new the internet and the ecommerce systems that run on it are – and how unregulated it all is. The web has turned from the “global village” into a vast system through which millions of pounds' worth of transactions are conducted every day.
Before getting upset about an increase in regulations, it's interesting to look at history. Nowadays, we grumble about the size of government departments, and the various agencies interfering with our everyday business. Before Queen Victoria, the number of people occupied in running national government was numbered in the hundreds. During the Victorian age, the numbers exploded.
That period has parallels with the development of the internet: industrialisation created giant cities, replacing the village economy of previous generations. When you knew your shopkeeper personally, you could trust them. In the new big city, the sack of grain might look good on the outside, but the inside would be bulked out with rubbish. Trust doesn't figure much in economic textbooks, but it is all-important.
The Victorians also created brands where technological innovations such as canned food were all about trust. You knew that no one had been able to interfere with the contents of the tin, you could trust the brand on the label. But technological innovations weren't enough. Independent agencies, funded through taxation to be impartial to the pressures of trade, were set up in all industrialised economies, developing and enforcing standards to create the levels of trust required to support the economic system. It is thanks to the Food Standards Agency, or its predecessors, that when you buy a loaf of bread, you can be sure it isn't going to kill you.
Trust is key to transactions on the internet, but it has been found wanting recently, from phishing and spam caused by an overly trusting SMTP protocol, to recently discovered flaws in DNS – a system built largely on blindly trusting the responses to queries made.
There was a more significant breakdown in trust at the end of 2008. It was addressed in Nick Barron's column in February's SC but deserves still more coverage. Trust in ecommerce is built on a Public Key Infrastructure, itself dependent on DNS. You trust a merchant to be what it says it is because of the SSL certificate it uses, all based on the trusted third party, the Certificate Authority, or CA. When Eddy Nigg of Startcom as an experiment successfully purchased the SSL certificate to the domain mozilla.com without validation, it highlighted the weaknesses of this trust-based system.
You could buy a certificate for any organisation's domain, or one similar to it, without any checks being performed. It is a system that polices itself but, apparently, not very well. It is also too complex to rely on the value of a brand, or a reseller's reputation, to protect it. The implications of this are immense. This revelation was followed by news that certain CA certificates could be cryptographically broken, enabling an attacker to create their own certificates, apparently signed by a trusted third party, so breaking the technological basis of trust.
The challenge of the Obama administration will be to address these issues on a global basis – not just creating a standards agency for the US alone, to check on the quality of areas such as PKI, but to create a supra-national way of doing this.