[Cryptography] The EFF 650 CAs lie

William Allen Simpson william.allen.simpson at gmail.com
Thu Apr 30 12:17:00 EDT 2020

On 4/28/20 11:36 PM, Phillip Hallam-Baker wrote:

> As was explained at the time and on numerous occasions since, a CA is a body that has control of at least one Certificate signing key. The vast majority of the '650 CA's identified in the study control no signing keys. They are simply customers of a CA 
> whose certificates are issued off a separate intermediate root.

Having taken the time to read through the documents, it seems to me
that EFF is correct.  No lying involved.

A Certificate Authority is an authority from whom you obtain a
certificate.  It makes no legal difference whether you personally
sign the certificate, whether you personally operate a root, or
whether the certificate is issued with an "intermediate" root.

This issue is merely one of agency.  I pay you, a certificate is
issued.  Thus, you've demonstrated _control_ of the authority.
Enough of the world's TLS implementations accept it.  Done.

Do I think that the whole CA infrastructure is good?  Of course not.

Do I think there are better models?  I was a strong supporter of
SPKI....  Also, that the Internet distribute certificates via DNS.

But Very Important People (with money) wanted to monetize the
security infrastructure.  This is what resulted.

More information about the cryptography mailing list