There are two leading models for checking identity via public key cryptography. When someone demonstrates that they know the private key for a given public key, you can either check that you know the public key itself (the SSH model) or check that the public key is itself signed by an authority you approve of (the SSL CA model). In theory SSL can be used for either model; in practice, many SSL tools and APIs seem to be strongly convinced that you should use the certificate authority model. The problem with this is that the SSL CA security model has a major flaw, one that we have seen on display in the DigiNotar breach.

Any model needs to deal with the possibility of compromised or improperly issued certificates. The CA model's answer is a CRL, a list of certificates that you should not accept even though they have a valid CA signature. This is the problem: to create a CRL entry, you need to know the bad certificate. In fact you need to know some relatively specific information about a certificate in order to revoke it. In short, the SSL CA security model requires perfect CA knowledge.

In other words, the mechanism designed to cope with security breaches only works if the CA has a limited security breach; if they were broken into sufficiently badly that the attacker could issue certificates but not so badly to allow the attacker to prevent those certificates from being recorded correctly. If the security breach is not limited, or even if you don't know whether it was or was not limited, the only recourse in the SSL CA model is to revoke your approval of the CA itself, which results in all CA-signed signatures being rejected.

This is more or less exactly what happened with DigiNotar. No one believes any more that DigiNotar knows what bad certificates have been issued with its signature (their list of such certificates has already grown several times, and may yet grow again). In the absence of trustworthy knowledge, the only remedy possible is dropping DigiNotar's root certificate.

The SSH model does not necessarily scale when you are dealing with a large and unpredictable set of identities, but it works perfectly well when you are dealing with a smaller, enumerable set. And it does not require perfect knowledge of what identities you may have been compromised (or just fooled) into certifying. Hence my long standing desire to see SSL tools support direct certificate checking.

(When I wrote that original entry, I did not expect that we would get such a perfect illustration of the problem. Sadly, we did.)