[Cryptography] Commercial PKI as dog poop
Hagai Bar-El
info at hbarel.com
Tue May 11 10:32:11 EDT 2021
Hello,
Peter Gutmann wrote:
> Hat tip to an anonymous contributor: Go to https://www.dogpoopsigns.com and
> look at the certificate. It's actually issued for https://www.smartsign.com,
> but is also valid for www.smartsign.com, smartsign.com, myengravedsign.com, [...]
>
> OK, it's CDN certificate, for which a random jumble of unrelated DNs like this
> is the norm. The unintended dogpoop comedy is a good indication of the state
> of commercial PKI in this area.
It is so true... There is tech, and there is how it is deployed. PKI is
not that awful as a technology, but we did mess it up immensely in the
past 25~ years of its deployment. One big mistake was the improper
alignment of incentives (CAs are paid for issuing certs and seldom
penalized for issuing them to the wrong requestor), and another big
mistake was accepting a model where any CA can sign any cert with us
being equally happy about it.
The result of the latter is this CDN effect... Once we decided that it's
fine for anyone to sign anything, we only called for such cost-cuts by
CDNs that happily create one cert for serving all their customers' data.
(In an optimal world, we wouldn't have to trust the CDN, but this will
require a TLS without the 'T'...)
Hagai.
--
/Hagai Bar-El/
www.hbarel.com <https://www.hbarel.com?med=sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210511/dce25e6c/attachment.htm>
More information about the cryptography
mailing list