[Cryptography] "Trust in digital certificate ecosystem eroding"

Sat May 2 13:21:30 EDT 2015

On 30/04/2015 23:34 pm, Andreas Junius wrote:
> Many people claim theses days that the system is broken. But I don't
> think it is the system that is broken but some organisations don't
> deserve the trust they ask for. And that's the general problem with
> trust; it has to be earned, not to be assigned by another third party
> (like a browser vendor or an operating system manufacturer).
>
> I think that is the link where the system fails. We introduced that
> system of third parties issuing certificates to allow the user to limit
> the number of certificates to trust (otherwise they had to check every
> single certificate). But there are now thousands of CA's and it is now
> nearly impossible to trust all of them as an individual.
>
> I don't know how to fix that problem.

It's pretty much fixed if we re-label the institutions involved as to 
their actions not their marketing.  The browser vendors are the top 
level CAs.  Users actually can trust Mozilla to some extent, Apple to a 
greater extent, Microsoft to a lesser extent, and google to whatever 
extent you desire.  Users choose their browser, and do so more or less 
consciously and with some base of information.

Then, under the top-level CAs, they have processes to choose a number of 
sub-CAs that the the top-level CAs feel comfortable outsourcing the real 
certificate issuing part to. CAs do their RA ("Registration Authority") 
process by checking the documents and policies of the sub-CAs, and 
adding them to the root list.

The CAs are public brand names, they have exposure, and when they stuff 
up they are incentivised to repair their brand and sharpen their act. 
This process works, i.e., was shown to work just recently when 
Mozilla-CA dropped its Chinese subsidiary CA CNNIC.

The system works.  Indeed, it is the only way it can work, because the 
CAs have the brand and jealously guard it.  Until the 4 CAs above -- 
google, Microsoft, Mozilla, Apple -- have a change of heart, and start 
sharing the branding on the chrome for the sub-CAs, then the system 
can't really change, the CAs have to make the decisions.  Nod to Bill, 
who says more!

iang

ps; we sometimes call the 4 top level CAs as über-CAs just to make the 
distinction between the marketing term of CA and the reality.

pps; to go deeper into this discussion, we'd have to talk about 
liability, but I'm trying not to be too depressed today so I'd rather not.