[ocdtrekkie]

Indeed. I am still in awe people supportive of PKI are referred to as "security experts". PKI is literally where we decided that a bunch of companies nobody's heard of should all be the Most Trusted for the entire Internet, and be able to tell us if everyone else is trustworthy. And then our web browsers, one of which is run by an adtech company, should decide whether or not to trust those entities, and whether or not to let the user override that decision about trustworthiness, to show us the website we wanted to get to.

[geofft]

The PKI, like democracy, is the worst system except for all the others.

I think the main alternatives people suggest are

- something involving a distributed ledger, where revocation isn't even an option, so that clearly doesn't make it better than the current system if we're talking about revocation being a mess (we could just amend the current system to get rid of revocation and throw out a whole bunch of technical complexity if we wanted)

- something involving DNS, which also involves trusting a bunch of companies nobody's heard of (sometimes the same companies, in fact?) who are hardly obviously better at operating cryptographic infrastructure than the existing CAs

- a TOFU approach like SSH, which hasn't been demonstrated to scale well beyond the dozen or so machines in your known_hosts file (most large companies are using something other than TOFU even for internal SSH)

I don't think PKI is an objectively good system, it's just difficult to picture a better one. The main flaws with PKI in practice aren't really about the companies nobody's heard of or a web browser being run by an adtech company - the main flaws are that people want a lot of things out of the system, some of which are contradictory, and running cryptography at this level of scale is genuinely hard. The alternatives don't really address those problems.

[ocdtrekkie]

A DNS-based system reduces the attack surface for any given domain massively: The gTLD registrar and your domain registrar become the sole entities that can create trusted certificates involving your site.

Right now, how many different companies could issue a microsoft.com cert if compromised or sketchy? Hundreds?

Right now CAs delegate trust to bunches of questionable sites as seen here with poor oversight or security based on business interest. On a DNS-based system, the entities involved are limited to those who actually manage your DNS.

It also removes the agency of browsers to decide who does and doesn't get to play, which is the current system.

[geofft]

The attacks are different, though. Under Certificate Transparency, approximately no one can issue a microsoft.com certificate and get away with it. Under a DNS-based system, the domain registry can do whatever, and there's no effective way to distrust them - if Verisign (who still manages .com, but who was too incompetent to run a CA and sold it to people who have been hard at work trying to clean up the mess) does something unreasonable with .com, the only option is for Microsoft to find a different TLD.

Given that most of the problems with the CA system historically have not been active attacks but incompetence, I don't think we win much from moving to a system where we can, in fact, kick TURKTRUST out of the pool to one where the question is whether .tr remains part of the internet or not. If Verisign screws up with .com in any way short of revealing a letter from the FBI saying "Please help us MITM Windows Update," there will be immense pressure to allow Verisign to continue being the .com registry and continue holding the .com signing keys.

For similar reasons, I'm not convinced that moving from "Hundreds of unqualified companies could issue a bad cert, but hopefully they won't" to "One unqualified company could issue a bad cert, but hopefully it won't" is a meaningful benefit. It doesn't reduce the theoretical bounds on the attacks, and again in practice, these hundreds of companies haven't been misissuing. (The present story is about mis-delegating the power to issue revocation/non-revocation responses, which is certainly a problem, but only relevant in practice if there are actual end-entity certs that are misissued in the first place.) So while it certainly feels better to have fewer entities that can sign - and to be clear, I am all for distrusting many if not most of them - I don't think it addresses either the fundamental theoretical problems nor the actual real-world attacks.

[tialaramex]

> Verisign (who still manages .com, but who was too incompetent to run a CA and sold it to people who have been hard at work trying to clean up the mess)

The Verisign CA function was sold to Symantec. That name might ring a bell too, because with these CAs set to be distrusted as a result of Symantec's mismanagement the whole business was again sold to DigiCert in 2017.

I think the perverse part of your reasoning is that you think .com is trustworthy now. It's one of the worst run registries. Its popularity with businesses probably tells you more about how scammy most businesses are than whether .com is trustworthy, and not very much about either.

[geofft]

Not sure if you're directing that at me or the parent comment - my position is definitely that Verisign should not be trusted with certificate signing authority over .com. The comment I'm replying to seems to advocate Verisign (and nobody else) being able to issue microsoft.com certs, which I think is a bad idea.

[tialaramex]

If Microsoft is comfortable with microsoft.com despite the .com registry being appallingly run I don't see any problem with that, just as I wouldn't see any problem with Microsoft choosing to open a Microsoft store in the almost-abandoned decaying mall at the far edge of town whose only other tenants are a discount furniture store and a company that sells only a single item and never has any customers.

It's a mistake to separate out the certificate signing authority for different attention if it would be (as in DNSSEC) hierarchically constrained. Verisign can already screw up badly enough to cause Microsoft to lose control of microsoft.com or let somebody else have it. They've apparently decided they're comfortable with their capacity to mitigate that risk. Fine.

[simias]

It was supposed to be a "proof of stake" originally I suppose, if a company was caught doing shady thing it would lose its CA status so they're incentivized not to do so. Sort of like internet notaries.

That might have worked decently in the early internet but it does seem seriously flawed with the current stakes.

That being said, what's the alternative? TOFU? Web of Trust? Those have massive security implications as well. They have the advantage of putting the user back in control but given that the vast majority of the people using the web today doesn't have a deep understanding of the underlying technology and security model I don't see how this wouldn't end up in a massive catastrophe.

It's a tough problem to solve.

[ocdtrekkie]

The problem is a lot of companies have done shady things and they are still participating in PKI. And a huge issue is that I can't pick my trustworthy parties: For instance, I do not trust Google. But a huge portion of the web won't work unless my browser assumes Google can issue certs for any domain in the world. I also don't trust a half a dozen CAs in countries I don't deal with and would rather prefer not have access to at all. When a Chinese PKI provider fails, I first wonder why I'm even trusting these CAs to begin with.

I'd prefer a system backed by DNS, and based on verifying the ownership of domains and the authorized DNS provider for that domain. Presumably, in my example, the only domains Google would be authorized to secure would be domains provided via Google's DNS and domain products.

[tialaramex]

> For instance, I do not trust Google. But a huge portion of the web won't work unless my browser assumes Google can issue certs for any domain in the world.

Um no. Google's four production roots (GTS Root R1 through R4) are essentially dormant. You could (but probably shouldn't) manually distrust these roots with no impact.

[ancarda]

Do you have an alternative? DANE looks good but it would require lots of people to get on board with DNSSEC first...

[ocdtrekkie]

The interesting thing is that web browsers can make people "get on board" with anything. Most of the PKI and TLS changes in the last couple years have happened because Chrome/Firefox/Safari have decided to say "this or your page won't work".

Understanding where web security is right now is about understanding who is making the decisions (regardless of any claims about committees and processes), and what motivations they have to make the decisions they do.

[parliament32]

Doesn't this just shift the exact same trust to registrars?

[ocdtrekkie]

It shifts the trust to a single CA instead of all the CAs.

[a1369209993]

More precicely, it means that compromising the public key infrastructure requires compromising one specific CA, rather than compromising any single CA out of hundreds. Ideally, we would it to instead require compromising all CAs out of hundreds, but as long as the defective-by-design X.509 PKI is used, that's not very possible, much less likely.

[mytailorisrich]

This is a solution that works reasonably well.

Formulating a working alternative is far from trivial.

[a1369209993]

To be fair, it's not PKI in general, but specifically X.509 PKI that needs to die in a fire.

[salawat]

I am so glad I'm not alone in this viewpoint. When we first learned about CA's back in college, I still remember the double-take I had in class.

Never could get the professor to double back around to th He mote problematic stuff.