[Cryptography] The EFF 650 CAs lie

Phillip Hallam-Baker phill at hallambaker.com
Thu Apr 30 13:29:56 EDT 2020

On Thu, Apr 30, 2020 at 12:17 PM William Allen Simpson <
william.allen.simpson at gmail.com> wrote:

> On 4/28/20 11:36 PM, Phillip Hallam-Baker wrote:
> > As was explained at the time and on numerous occasions since, a CA is a
> body that has control of at least one Certificate signing key. The vast
> majority of the '650 CA's identified in the study control no signing keys.
> They are simply customers of a CA
> > whose certificates are issued off a separate intermediate root.
> >
> Having taken the time to read through the documents, it seems to me
> that EFF is correct.  No lying involved.

As with Trumpian lies, the problem is that different criteria are applied
to the statements at different points in the argument.

When asserting that there are 650 'CAs', an informal standard is used.

When asserting the number of CAs is a serious concern, the technical
standard is used.

EFF repeatedly used this study to argue that there were too many parties
with the ability to sign certificates. They used the informal definition to
claim there was a large number of CAs and then the formal definition to
assert that there was an unacceptably large number of signers.

> A Certificate Authority is an authority from whom you obtain a
> certificate.  It makes no legal difference whether you personally
> sign the certificate, whether you personally operate a root, or
> whether the certificate is issued with an "intermediate" root.

Actually it makes a vast difference both legally and technically.

The question is who can be held accountable for mis-issue. An LRA or RA
cannot be held accountable, only the CA can. Only the CA issues a
Certificate Policy and Certificate Practices Statement. If there is a
mis-issue, it is the CA that suffers consequences.

The suggestion that there were 'thousands' of CAs is still used today to
justify changes

> This issue is merely one of agency.  I pay you, a certificate is
> issued.  Thus, you've demonstrated _control_ of the authority.
> Enough of the world's TLS implementations accept it.  Done.

The question is where that demonstration is verified.

If someone is making a claim there is an order of magnitude more
verification points than actually exist, that is a problem.

> Do I think that the whole CA infrastructure is good?  Of course not.

> Do I think there are better models?  I was a strong supporter of
> SPKI....  Also, that the Internet distribute certificates via DNS.

If we are going to improve the current situation, we have to be honest
about what the problems were with the old.

If someone is attacking a witness for 'not taking a lie detector test', I
will invariably object that means nothing because the tests are bogus. And
I do that regardless of whether I consider the witness otherwise credible
or not. Introducing a false claim into the argument confuses the issue.

The problem with DNSSEC is that there is only one provider. And that
provider is (justifiably) regarded as a US government agency by Russia and
China. And so they have made plain that they will not tolerate widespread
use of DNSSEC.

> But Very Important People (with money) wanted to monetize the
> security infrastructure.  This is what resulted.

But the real problem of the WebPKI today is actually the exact opposite of
'too many CAs'. The market has consolidated to the point where two
providers have an effective duopoly on the commercial side and there is one
free provider.

So now we have the 'too big to fail' problem. And note that when one of
those three recently screwed up in a far more egregious fashion than
Symantec did, they were not shut down.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200430/fc833288/attachment.htm>

More information about the cryptography mailing list