[Cryptography] The business of web hosting, was Commercial PKI as dog poop

[jrzx]

jrzx said:
> > > > A CDN is "non origin certification" ...
> >
> > I expect that if I form an SSL connection to www.example.com,
> > the machine at the other end will be controlled by the owner
> > of the name www.example.com

On Friday, May 14, 2021 6:58 PM, John Levine <johnl at iecc.com> wrote:
> Once again, you seem to be using an Internet unlike the one
> the rest of us use.

> Looking at the certs on the web sites, even though they're
> all in the bank's domain tompkinstrust.com, I see that the
> EV cert for www.tompkinstrust.com is issued to the bank,
> the EV one for the business banking subsite at
> treasurymanagement.tompkinstrust.com is issued to Jack Henry,
> and the DV one for the personal banking subsite
> at secure.tompkinstrust.com is issued to nobody, just the
> domain name.

And the secrets underlying each of these certificates are
located on the actual physical machine you connect to.

And chances are those machines are located in a data center
physically controlled by the bank with a security guard and
a cam, and if they are located at some random unknown place
in the cloud, root login is only possible with an ssh key
whose secret is physically located in a computer somewhere
in the bank's offices.

The problem with a CDN certificate is that its actual secret
is located on some other machine, and which machine you actually
connect to depends on routing decisions by it and routing
decisions in the network between them.

The problem with a CDN certificate is that certificates were
supposed to solve the problem that the network is necessarily
physically insecure.