Root of Trust

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

The highest level certificate in a certificate trust chain.

Context

The Root of Trust is not the highest level of trust. Any system will contain a trust list containing certificate for all the Roots of Trust that are accepted by it. The most common case of this is the user's browser, all of which ship with a list of roots that can be updated from time to time as exploits are discovered.

The following quote is why all of the existing trust networks reacted strongly against the EU proposal to require the web sites to honor all 27 member states trust anchors. Nobody in the security community trusts any government to hold the roots of trust.

so the obvious question - If we don't trust the governments, who do we trust.? Maybe the CA/B forum (upon which all common browsers depend)?

From Ryan Hurst

When we look at the Storm-0558 and DigiNotar incidents side by side, we find striking similarities in their repercussions and severity. Both cases involve significant breaches orchestrated by nation-states - China and Iran respectively, targeting critical digital infrastructure and security protocols that are designed to safeguard user data and communications.

In the case of Storm-0558, the skilled dismantling of Microsoft's authentication infrastructure not only compromised the integrity of exchange inboxes but potentially rendered confidential information accessible to unauthorized entities.

Similarly, the DigiNotar breach constituted a severe undermining of internet security, as the attackers were able to issue trusted certificates that facilitated man-in-the-middle attacks. This compromised user interactions with sensitive services, including email communications.

Given their similar impact on user privacy and internet security, it begs the question are we treating both incidents with equal gravitas and severity?

If not we must ask the question as to why and what are the consequences of that reality?

To answer these questions it might be useful to think about a different kind of breach of trust that happened in the late 2010s where a fake vaccination campaign was used as a cover to collect DNA samples in the hunt for Osama bin Laden. That move ended up causing a lot of people in the area to give a side-eye to vaccination drives, fearing there's more than meets the eye.

It almost feels like sometimes, big tech in the US gets to bend the rules a little, while smaller players or those from other parts of the world have to toe the line. It's this uneven ground that can breed mistrust and skepticism, making folks doubt the systems meant to protect them.

In short, these decisions to compromise core infrastructure and come with long-term consequences that are surely not being fully considered.

Reference

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Root_of_Trust&oldid=18676"