[Cryptography] The EFF 650 CAs lie

Paul Wouters paul at cypherpunks.ca
Sun May 3 22:00:19 EDT 2020

On Thu, 30 Apr 2020, Phillip Hallam-Baker wrote:

>  When asserting that there are 650 'CAs', an informal standard is used.

Makes sense to me. If there are an unknown number of RAs and LRAs that
can trigger a CA to issue a certificate, then from the point of view of
EFF, it juts increases the amount of individuals that can cause a rogue

>        A Certificate Authority is an authority from whom you obtain a
>        certificate.  It makes no legal difference whether you personally
>        sign the certificate, whether you personally operate a root, or
>        whether the certificate is issued with an "intermediate" root.
>  Actually it makes a vast difference both legally and technically.

I think EFF's main concern was individuals and/or organisations that
could cause a certificate to be issued. Whether that is a direct CA
or another party doesn't really matter.

>  The question is who can be held accountable for mis-issue. An LRA or RA
>  cannot be held accountable, only the CA can. Only the CA issues a
>  Certificate Policy and Certificate Practices Statement. If there is a
>  mis-issue, it is the CA that suffers consequences.

That only helps to clean up the mess, not to prevent it.

>  If we are going to improve the current situation, we have to be honest about
>  what the problems were with the old.

The main problem is that it is not hierarchical. And we need to ensure
goverment XX can control entries in their TLD XX. Regardless of whether
DNSSEC or WebPKI is technically better, the flat model of WebPKI is just
flawed. Nothing can fix the WebPKI if the USG can coerce a US company
to issue a Chinese or Russian certificate. Currenty, the only block in
this stream is Mozilla and Google and Apple - all basically under USG
sphere of coercion.

>  The problem with DNSSEC is that there is only one provider. And that
>  provider is (justifiably) regarded as a US government agency by Russia
>  and China. And so they have made plain that they will not tolerate
>  widespread use of DNSSEC.

It's not. It is trivial to skip the root key and let CCTLD keys be in
configurations for their respective TLD only. It's actual a working
version of path-constraint.

But specifically for these very unlikely in practise, but possible in
theory attack of the root key, over at DNSOP at the IETF we are
currently running a call for adoption for a draft that allows a key
to announce it to be DELEGATION_ONLY, through which it cannot bypass
it's delegated children. And it allows DNSSEC Transparency to log
proof of a rogue (root) key - in which case the political system and
root zone operators could kick out the USG/ICANN/Verisign root key
for something else.


Please to send a message to DNSOP if you think this draft is a good
idea (and well, also when you think it is a bad idea)

>  But the real problem of the WebPKI today is actually the exact opposite of
>  'too many CAs'. The market has consolidated to the point where
>  two providers have an effective duopoly on the commercial side and there is
>  one free provider. 

Indeed. The EFF has now caused the reverse problem. Everyone now has to
trust them and only them. Of course, it does prove the point that since
all of domain validation happens via DNS anyway, we should just cut out
the CA middleman and do it via DNS and kick all the CAs to the curb.

>  So now we have the 'too big to fail' problem. And note that when one of
>  those three recently screwed up in a far more egregious fashion than
>  Symantec did, they were not shut down.

Indeed. But I was shocked at LetsEncrypt original plan to kill all
these domains, and I'm glad they actually ended up violating the
CAB/Forum rules. Clearly ACME still needs some work so it can better
recover in these kind of scenario's.

But even taking one further step back. It is crazy that all this
security is ultimately decided by 4 US based broswer vendors. It
needs to be hierarchical where governments can make decisions of
trust and identity for their citizens and their organisations
independently of the US. DNS and DNSSEC is the only thing we have
that can do that.


More information about the cryptography mailing list