[Cryptography] Commercial PKI as dog poop

jrzx jrzx at protonmail.ch
Thu May 13 00:34:18 EDT 2021


> On 5/10/21 11:23 AM, Peter Gutmann wrote:
> > The unintended dogpoop comedy is a good indication of
> > the state of commercial PKI in this area.

On Tuesday, May 11, 2021 3:06 AM, Stephan Neuhaus <stephan.neuhaus at zhaw.ch> wrote:
> I've looked at this cert and I'm at a loss. If they
> can get a jumbo cert like this from GoDaddy, surely they
> could also get a bunch of single certs from letsencrypt.

A CDN is "non origin certification"

Meaning the owner of the certificate has no control over
the name, and the owner of the name has no control over
the owner of the certificate casually redirecting the
name to a machine controlled by someone else.

The existence of CDNs subverts people's expectations about
certificates.

If your website is certified by a CDN, and if there is
anything that matters on the website, you should consider
different hosting.

A CDN puts you in a similar situation to having a domain
name that is [my_name].wordpress.com, and a lot of such names
have been burned by that.


More information about the cryptography mailing list