[Cryptography] "Trust in digital certificate ecosystem eroding"
iang at iang.org
Sat May 2 13:21:30 EDT 2015
On 30/04/2015 23:34 pm, Andreas Junius wrote:
> Many people claim theses days that the system is broken. But I don't
> think it is the system that is broken but some organisations don't
> deserve the trust they ask for. And that's the general problem with
> trust; it has to be earned, not to be assigned by another third party
> (like a browser vendor or an operating system manufacturer).
> I think that is the link where the system fails. We introduced that
> system of third parties issuing certificates to allow the user to limit
> the number of certificates to trust (otherwise they had to check every
> single certificate). But there are now thousands of CA's and it is now
> nearly impossible to trust all of them as an individual.
> I don't know how to fix that problem.
It's pretty much fixed if we re-label the institutions involved as to
their actions not their marketing. The browser vendors are the top
level CAs. Users actually can trust Mozilla to some extent, Apple to a
greater extent, Microsoft to a lesser extent, and google to whatever
extent you desire. Users choose their browser, and do so more or less
consciously and with some base of information.
Then, under the top-level CAs, they have processes to choose a number of
sub-CAs that the the top-level CAs feel comfortable outsourcing the real
certificate issuing part to. CAs do their RA ("Registration Authority")
process by checking the documents and policies of the sub-CAs, and
adding them to the root list.
The CAs are public brand names, they have exposure, and when they stuff
up they are incentivised to repair their brand and sharpen their act.
This process works, i.e., was shown to work just recently when
Mozilla-CA dropped its Chinese subsidiary CA CNNIC.
The system works. Indeed, it is the only way it can work, because the
CAs have the brand and jealously guard it. Until the 4 CAs above --
google, Microsoft, Mozilla, Apple -- have a change of heart, and start
sharing the branding on the chrome for the sub-CAs, then the system
can't really change, the CAs have to make the decisions. Nod to Bill,
who says more!
ps; we sometimes call the 4 top level CAs as über-CAs just to make the
distinction between the marketing term of CA and the reality.
pps; to go deeper into this discussion, we'd have to talk about
liability, but I'm trying not to be too depressed today so I'd rather not.
More information about the cryptography