Authenticate Logos on Gmail Messages? Good Idea — if Google Can First Fix the Certification Problem.
Here’s how it can be done.
Google announced that it’s about to roll out BIMI (Brand Indicators for Message Identification) and VMC (Verified Mark Certificate) support for Gmail messages. Mark Vojtko, in his July 6th article for Hashed Out, says that Google intends to use the BIMI and VMC support to verify that the logos on sent messages do, in fact, belong to the sender.
The process of doing that will involve third-party certification authorities. While it’s great that Google is trying to provide a way for people to authenticate the source of a message received on their Gmail, there’s still a disconnect. What guarantee do we have that the certification authorities can be trusted?
Certification authorities are commercial enterprises. They can be restructured, sold, or wound up. There’s simply no guarantee that the certificates they issue cannot be fraudulent.
And yes, there is plenty of precedent for it, starting with something that hits close to home for the organization I work for.
Let Me Tell a Short Story…
After the ITU, a United Nations agency, handed off their World e-Trust Initiative to us on March 7, 2005, we set out to constitute its certification authority as a digital municipality, the City of Osmio. We sought the technical help of StartCom, a commercial CA noted for its strong integrity (digital certification is immensely profitable if you skip that costly integrity part :).) We ended up investing in StartCom and then doing it ourselves.
Eventually, StartCom put itself up for sale. Now when a company with a strong asset puts itself up for sale, the most likely buyers are companies that lack that asset — right? So the buyer of StartCom was a company that immediately set out to issue fraudulent certificates.
We and our fellow investors received a good financial return on the sale. As for the return on peace of mind, well, that’s another matter.
That wasn’t — and isn’t — the only story that illustrates the fundamental flaw in the whole notion of a commercial certification authority. We won’t mention names here, but some large commercial CAs built networks of dealers — yes, dealers — to sell their certificates. Speaking of Google, I happen to know an individual who purchased from one of those dealers a certificate attesting that they owned the domain google.com!
So let’s think about this. Suppose Joe’s Pawn Shop, Check Cashing and Payday Loans, you know, over on the seedy part of town, started issuing passports, drivers’ licenses and birth certificates. In the physical world that would be preposterous of course. Never gonna happen, right?
So why do we think that arrangement is OK in the digital world? It’s just bizarre.
One of the earliest e-tailers, Toysmart, had a rock-solid privacy policy and practice. No one got the names, addresses, emails etc. of their customers.
Then Toysmart ran into financial trouble. Guess who stepped forward to buy the company. Was it someone who wanted to resume grinding on a business model that wasn’t working? Of course not. The sale attracted a buyer who shut down the eCommerce operation and kept the customer database, which included credit card numbers. Very fortunately, Disney had a small equity interest in the company and didn’t want their good name associated with those crooks, so they bought the remains of the company and retired the database.
Companies are bought and sold all the time. Company management changes. New slates of directors take over and throw out the values and principles and practices of the previous regime in order to squeeze out some incremental profit. Haven’t we all seen a restaurant that built up a reputation for quality get sold to a new owner who milks the reputation for a few years with crummy food and service?
What Google is trying to do is a step in the right direction, but there is a missing ingredient. To add that ingredient, we must think about information security differently.
Certification Authorities Shouldn’t Be Businesses
Anyone can set up a certification business. It's true, an industry standards organization, the CAB Forum https://cabforum.org/ , requires that its members adhere to strict professional standards. StartCom was a CAB Forum member. Presumably that relationship ended when its new owners decided to ignore those standards.
A city's or nation's vital records department cannot be bought and sold. While our assertion that a municipality is owned by its residents has stirred up some surprising controversy, the word 'Authority' in a municipal certification authority has real meaning
That’s why certification must come from a DCPA-Duly Constituted Public Authority. You may be able to buy the politicians in city hall, but you can’t buy their source of authority because everyone who works in its vital records department or professional licensing department understands that the careful maintenance of that authority is the only thing that gets them their paycheck. Don’t try to pull a fast one on Maude at the service counter at city hall because she’s going to know what you’re up to.
In our physical world, birth certificates, driver’s licenses, professional licenses, are certificates that are issued by duly constituted public authorities. These certificates are the authorities’ attestation to the claims made by the holders of the certificates. For instance, a driver’s license is the issuing authority’s attestation that the holder's claim that they can drive, is true.
Digital certificates are supposed to attest to the claims we make online. However, unlike public notaries who carry criminal liability if they misuse their authority, commercial certification authorities cannot be held accountable for fraudulent digital certifications.
Digital certificates, which are supposed to guarantee internet users that the site they are on is secure, are hawked online like toys.
Imagine going into a state where identity certificates and professional licenses are advertised and sold openly. Would you trust anyone to know how to drive even if they had a driving license? Would you trust that anyone is who they say they are even if they had an ID? Would you trust any building in that state if building professionals were buying their professional licenses by the roadside?
The world’s certification system is hopelessly broken and we must fix it if we want to have reliable digital identity certificates.
Watch the video below to learn how certification can be done the right way.