[Cryptography] distrusted root CA: WoSign

Ben Laurie ben at links.org
Mon Oct 3 06:50:34 EDT 2016


On 3 October 2016 at 08:31, Stephen Farrell <stephen.farrell at cs.tcd.ie> wrote:
>
> Hiya,
>
> On 03/10/16 06:10, Ben Laurie wrote:
>> On 2 October 2016 at 19:55, Stephen Farrell <stephen.farrell at cs.tcd.ie> wrote:
>>>
>>> Hiya,
>>>
>>> On 01/10/16 23:02, Ben Laurie wrote:
>>>> On 1 October 2016 at 10:12, Peter Gutmann <pgut001 at cs.auckland.ac.nz>
>>>> wrote:
>>>>> John Denker <jsd at av8n.com> writes:
>>>>>
>>>>>> In general, why do we put up with this?  Why, why, why?
>>>>>
>>>>> Because we have no choice.  What are you going to do in order to
>>>>> opt out, stop using the web?  It's a totally captive market.
>>>>>
>>>>> Note that things are run by the CA/Browser forum, not the
>>>>> CA/Browser/web site operator/end user/customer forum.  The only
>>>>> people with a say in things are the ones who are making money off
>>>>> the whole racket, and they aren't going to do anything to change
>>>>> the status quo.
>>>>
>>>> I am so sick of this lame rhetoric.
>>>
>>> While I agree that Peter's rhetoric is a bit OTT, there is a real
>>> issue reflected in the above - the lack of any voice for users of
>>> browsers, web server developers and content authors is IMO a real
>>> reason to be somewhat wary of CAB forum. I don't know that there
>>> are any moves to improve that situation, though of course there may
>>> be.
>>
>> Users have a voice, as Peter well knows, at least in Mozilla's
>> selection and vetting of CAs.
>
> So yes, Mozilla have a public list and a process.
>
> That's very far from covering the points Peter and I raised
> about who has a voice inside CAB forum.

I disagree. The question is who has power to influence browser root
programs, surely, not who gets to attend what meeting?

>> Microsoft and Apple could do the same
>> thing.
>
> They could and that'd be an improvement. It'd still not be
> a "fix" for the CAB forum though.
>
> I guess Google could do similarly too. (I wonder why you
> didn't mention Google - do they do something different or
> follow the Mozilla process?)

I didn't mention Google because Google doesn't have a root program. :-)

>>>> What is your proposed solution? Put up or shut up.
>>>>
>>>> More polite version: yes, it is a hard problem, but how do you solve
>>>> it without some kind of central authority? On what basis can the end
>>>> user validate a certificate, other than some authority doing it on
>>>> their behalf? Of course I think that adding transparency to those
>>>> authorities is a major win, but other than that, where do you go?
>>>> Alternatives like DANE are just shuffling the deck chairs on the
>>>> Titanic.
>>>
>>> What Viktor said.
>>
>> I already responded to Viktor.
>
> He's still correct though:-) There's no need to diss DANE in this.

When people think DANE is some kind of magic bullet to solve key
distribution there is definitely need to push back on that notion -
the problem being that DNS is even more unreliable than CAs, has a
root program that is even less democratic than the CA ecosystem,
relies on a protocol that has proved to be essentially undeployable,
so far, and is in need of a CT-like mechanism (which presumably will
be no easier to deploy than CT is, and hasn't even been started yet).

> DANE's another attempt to improve things which may find a niche
> where it does help. (SMTP/TLS in particular, but who knows maybe
> back in the web later if something like [1] gets traction.)

SMTP/TLS is definitely a mess!

>    [1] https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension

Cool, but we know it takes at least a decade to deploy something like
this (which is why CT has alternate mechanisms - I suggest doing
something similar as an interim measure for dnssec).

>>>> What can you do that is radically better than CAs + transparency?
>>>
>>> That is a fine question. I've not seen any good answers myself in
>>> the last 20 years which is a shame. I have seen many proposals for
>>> things that are a little better than X.509-based PKI, but none of
>>> them that were sufficiently better to displace the current, wildly
>>> imperfect, X.509-based PKI.
>>>
>>> I do think CT is an improvement though, and in the longer term may
>>> point to other solutions involving large databases of public keys.
>>> But I've yet to see one of those that might really take hold.
>>
>> Err ... CT?
>
> Yeah, cert transparency, I'm guessing you're familiar with it:-)
>
> My point is that CT is a "large DB of keys" improvement to X.509
> based PKI. I suspect that may point to the possibility of future
> solutions where relying parties each carry around a large DB of
> public keys. But that's just me speculating, no more.

Yeah, I think that's mostly a good idea, except for the distribution
and synchronisation problems.

BTW, to be totally clear, I really don't like the CA system. When I
started CT I hoped it would ultimately provide a way to replace CAs
with something better, but after 5 years of thinking about it, I still
haven't figured out what the something better is!

The core problem, it seems to me, is what you do when the key in the
database is wrong. I don't have an answer for that that doesn't look
very CA-like.


More information about the cryptography mailing list