[geofft]

The PKI, like democracy, is the worst system except for all the others.

I think the main alternatives people suggest are

- something involving a distributed ledger, where revocation isn't even an option, so that clearly doesn't make it better than the current system if we're talking about revocation being a mess (we could just amend the current system to get rid of revocation and throw out a whole bunch of technical complexity if we wanted)

- something involving DNS, which also involves trusting a bunch of companies nobody's heard of (sometimes the same companies, in fact?) who are hardly obviously better at operating cryptographic infrastructure than the existing CAs

- a TOFU approach like SSH, which hasn't been demonstrated to scale well beyond the dozen or so machines in your known_hosts file (most large companies are using something other than TOFU even for internal SSH)

I don't think PKI is an objectively good system, it's just difficult to picture a better one. The main flaws with PKI in practice aren't really about the companies nobody's heard of or a web browser being run by an adtech company - the main flaws are that people want a lot of things out of the system, some of which are contradictory, and running cryptography at this level of scale is genuinely hard. The alternatives don't really address those problems.

[ocdtrekkie]

A DNS-based system reduces the attack surface for any given domain massively: The gTLD registrar and your domain registrar become the sole entities that can create trusted certificates involving your site.

Right now, how many different companies could issue a microsoft.com cert if compromised or sketchy? Hundreds?

Right now CAs delegate trust to bunches of questionable sites as seen here with poor oversight or security based on business interest. On a DNS-based system, the entities involved are limited to those who actually manage your DNS.

It also removes the agency of browsers to decide who does and doesn't get to play, which is the current system.

[geofft]

The attacks are different, though. Under Certificate Transparency, approximately no one can issue a microsoft.com certificate and get away with it. Under a DNS-based system, the domain registry can do whatever, and there's no effective way to distrust them - if Verisign (who still manages .com, but who was too incompetent to run a CA and sold it to people who have been hard at work trying to clean up the mess) does something unreasonable with .com, the only option is for Microsoft to find a different TLD.

Given that most of the problems with the CA system historically have not been active attacks but incompetence, I don't think we win much from moving to a system where we can, in fact, kick TURKTRUST out of the pool to one where the question is whether .tr remains part of the internet or not. If Verisign screws up with .com in any way short of revealing a letter from the FBI saying "Please help us MITM Windows Update," there will be immense pressure to allow Verisign to continue being the .com registry and continue holding the .com signing keys.

For similar reasons, I'm not convinced that moving from "Hundreds of unqualified companies could issue a bad cert, but hopefully they won't" to "One unqualified company could issue a bad cert, but hopefully it won't" is a meaningful benefit. It doesn't reduce the theoretical bounds on the attacks, and again in practice, these hundreds of companies haven't been misissuing. (The present story is about mis-delegating the power to issue revocation/non-revocation responses, which is certainly a problem, but only relevant in practice if there are actual end-entity certs that are misissued in the first place.) So while it certainly feels better to have fewer entities that can sign - and to be clear, I am all for distrusting many if not most of them - I don't think it addresses either the fundamental theoretical problems nor the actual real-world attacks.

[tialaramex]

> Verisign (who still manages .com, but who was too incompetent to run a CA and sold it to people who have been hard at work trying to clean up the mess)

The Verisign CA function was sold to Symantec. That name might ring a bell too, because with these CAs set to be distrusted as a result of Symantec's mismanagement the whole business was again sold to DigiCert in 2017.

I think the perverse part of your reasoning is that you think .com is trustworthy now. It's one of the worst run registries. Its popularity with businesses probably tells you more about how scammy most businesses are than whether .com is trustworthy, and not very much about either.

[geofft]

Not sure if you're directing that at me or the parent comment - my position is definitely that Verisign should not be trusted with certificate signing authority over .com. The comment I'm replying to seems to advocate Verisign (and nobody else) being able to issue microsoft.com certs, which I think is a bad idea.

[tialaramex]

If Microsoft is comfortable with microsoft.com despite the .com registry being appallingly run I don't see any problem with that, just as I wouldn't see any problem with Microsoft choosing to open a Microsoft store in the almost-abandoned decaying mall at the far edge of town whose only other tenants are a discount furniture store and a company that sells only a single item and never has any customers.

It's a mistake to separate out the certificate signing authority for different attention if it would be (as in DNSSEC) hierarchically constrained. Verisign can already screw up badly enough to cause Microsoft to lose control of microsoft.com or let somebody else have it. They've apparently decided they're comfortable with their capacity to mitigate that risk. Fine.