[Cryptography] Verisimilitrust

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Jan 8 04:09:41 EST 2016

>From the Mozilla policy list, in a discussion about what to do about
Kazakhstan requesting that their MITM certificate be added to the browser
trust lists:

  It would appear from this information, that this CA (and probably others
  like it) is deliberately serving a dual role:

  1. It is the legitimate trust anchor for some domains that browser
     users will need to access (in this case: Kazakh government sites
     under gov.kz).

  2. It is the trust anchor for fake MITM certificates used to harm
     browser users, and which should thus be regarded as invalid.

causing an immediate panicked response to try and find a reason to deny the
request, because the CA/Browser Forum policies don't actually say you can't
have an acknowledged MITM cert as a trusted root:

  Kazakhstan has submitted the request for root inclusion:

  So, we really do need to have this discussion now.

I think we need to formally give up on the use of the word "trust" in its
conventional sense in relation to PKI.  Browser PKI has done to the term
"trust" what the popular press has done to the word "hacker".

  Thus it would be prudent to extend the trust list format (and the NSS code
  using it) to be able to specify additional restrictions beyond those
  specified in the CA root itself.


In other words certificates are going to be turned inside-out, instead of the
cert encoding policy-related information as per X.509, we've got a third party
(browser vendors) imposing its policy on the certificate from the outside.
We've already got the same third party overriding CAs on revocation via
hardcoded cert blacklists, and as has been shown over and over again, CAs do
only the bare minimum of checking for anything but EV certs.  So if this
change is made we can summarise the purpose of a CA as follows:

  Verify identity in certs - Not really (except to justify premium-priced EVs).
  Provide policy for certs - No, the browser vendor will.
  Provide revocation info for certs - No, the browser vendor will.
  Charge money to turn off the browser warnings - Yes.

So that's pretty much pared browser PKI down to its essence, a license to
print money for a select group of companies.


More information about the cryptography mailing list