[Cryptography] distrusted root CA: WoSign

Ben Laurie ben at links.org
Sun Oct 2 13:43:28 EDT 2016


On 2 October 2016 at 05:35, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> John Denker <jsd at av8n.com> writes:
>
>>We *do* have choices.  There are a *lot* of things that could be done better,
>>without dropping off the grid.
>
> It depends on who you mean by "we".  When I said "we" I meant the end user,
> you, me, everyone around you.  We have no choice.  We have to take what the
> browser vendors give us, which in turn is what the CA/B Forum wants us to
> have, and their response to the ongoing failure of PKI [0] is to give us more
> PKI.
>
>>FWIW https://letsencrypt.org/ is issuing free certificates, which seems like
>>a major departure from the status quo ante.
>
> That's just fixing a problem that was created by the browser vendors in the
> first place, the fact that the browsers are set up so that you need to ask a
> CA for permission to use encryption.  They could have done the same thing
> years ago by allowing anon-DH.

anon-DH is not the same thing. Not saying browsers should not have
allowed it, but clearly it has different properties - in particular,
revocation is impossible.

> Even then, as Jerry Leichter pointed out in a previous message, they're still
> requiring you to ask a CA to use encryption, they've just acted, years too
> late, to blunt the most obvious criticism.  Ever tried to set up TLS on a non-
> public-Internet network (RFC 1918 or whatever)?  You basically can't, unless
> you use your own software on both the client and server.  Browsers just don't
> work there, because needing to ask a CA for permission to encrypt is hardwired
> into them.

I am confused by this claim: you can add your own roots to browsers...

> Peter.
>
> [0] Now I know some people are going to claim PKI isn't a failure, and to some
>     extent that's correct, since there was never any mission statement for PKI
>     beyond "you asked for PKI, here is some" it's not really possible to say
>     it's failed.  Or succeeded.  Or anything really.  However given that twenty
>     years of evidence indicates it has no effect on phishing, malware, or much
>     of anything else that you'd sort of expect it to deal with, I'm going to
>     say it's been a failure.

The problem PKI demonstrably does solve is that when I connect to
google.com (or a host of other well-know domains) I really am
connecting to them.

I don't know why you'd expect it to solve phishing - that is to do
with linking identity to domain names, something the PKI doesn't
really claim to do (well, maybe EV, but studies show that isn't a
great success). Or malware, which seems like an entirely orthogonal
problem.

Of course, it is easy to claim that PKI should be "sort of expected"
to solve these problems - but in the absence of any plausible proposal
to solve them, I call bullshit. I "sort of expect" you to solve these
problems, but you demonstrably have not. Nor even proposed a viable
way to do so.

Don't get me wrong: I would love these problems to be solved, but I
don't know how (well, I think transparency helps :-). Complaining that
various things don't do it is not really progress.


More information about the cryptography mailing list