[Cryptography] Certificates and PKI

[Ben Laurie]

On 19 December 2014 at 11:38, Jerry Leichter <leichter at lrw.com> wrote:
>
> So Google has announced that in the future they Chrome mark HTTP connections as "risky", perhaps moving the world toward "all encryption all the time".  However, all the browser makers - Firefox in particular - continue their war against self-signed certificates.
>
> If your goal is security against passive eavesdroppers - and, in particular, against "record everything" government agencies - then a self-signed certificate is as good as anything.
>
> If you want to defend against active MITM attacks, then you need a trustworthy certificate.  But as we all know, the current model of hundreds of equally-trusted CA's cannot possibly produce legitimate trust.
>
> Recent efforts like certificate pinning and certificate transparency can go a long way toward proving trust in certificates - *but they can work equally well no matter who signs the certificate!*

Pinning does indeed not care who signed the certificate. However, it
introduces an apparently insurmountable problem: what happens when you
lose your key? And, to be clear, by "lose", I mean, "no longer have
access to". It seems that your website is then unavailable for
whatever the pin expiry time is. We don't think that's acceptable, nor
fixable without introducing some entity with essentially the same role
as a CA.

Dealing with leaked (i.e. usable by someone other than you) keys is
also problematic - how do you ever regain control of your domain if
you've ever had it taken over by a bad guy?

CT does care, but for more subtle reasons:

a) If anyone can sign a cert, how do we avoid spamming logs into
uselessness? Right now, we use CA signatures as a mechanism to
attribute log entries to some entity that can be held to account for
spam.

b) If there's nothing in a CA-like role, then what do you do when the
log shows a certificate that is not correct? i.e. how do you revoke
it?

I am a lot less worried about b than I am about a: just because we're
not sure what to do about something doesn't seem like a good reason to
not find out about it. However, I do wonder how people think a
practical system with no CA-like entities is supposed to work?

>   Granted, they were *designed* on the assumption that the pinned/recorded CA was one of the "blessed" CA's that every browser comes with - but there's nothing that requires that.  A "pinned" self-signed certificate - pinned to itself - is as trustworthy as any other pinned certificate.  (In fact, it's basically just a wasteful representation of trusted public key store, something I've discussed here previously.  But it fits into the existing infrastructure with no changes.)  The security of certificate transparency doesn't come from CA's - it comes from the owners of sites watching for attempts to create certificates in their name.  That works no matter where the legitimate certificates come from.
>
> How can we get the browser makers to stop buying in to the PKI fiction that does little except keep the CA business model alive?

Propose an actual workable alternative would be a good first step. I
know that at this point IanG and Peter will say that I cannot ask this
because I will just shoot down anything you propose with petty
objections. However, I promise any objections I make will not be
petty.