[axiologist]

This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.

[belorn]

While it seems like certificate authority has the primary control here, the real control lies in browsers and operative systems in which certificate authorities are trusted. Users also have, at least for the moment, control to add or remove certificate authorities, even if that control is slightly less clear for devices like smart phones.

Digital certificates that signs software packages are used to enforce exclusion by some manufacturers. Let's encrypt is not in that space to my knowledge, but it is a place where you the owner do not have the right to determine which certificate authority should be trusted, and generally the only one that is trusted is the manufacturer. Its arguable if we even should be calling such entities a certificate authority, even if they technically are the owner of the root certificate that signs the package.

[hulitu]

> the real control lies in browsers and operative systems in which certificate authorities are trusted

Wasn't Let's encrypt a Mozilla child ?

The real control lies at who defines what is trusted.

[ulfbert_inc]

Local control, maybe. But not the power.

[MarleTangible]

I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Most simple services may not need TLS, but with the ISPs eavesdropping on our communication, a form of secure communication is required and the currently best solution we have requires a trust-chain to be built.

[happosai]

It is such a great improvement that ISPs cannot eavesdrop us anymore... only for everyone to terminate TLS at cloudflare so they (and thus US government) can now eavesdrop everyone.

[rixed]

Ultimately, I find it likely that TLS will become a tool to prevent users from accessing foreign content (browsers stubbornly refusing to show untrusted sites in the name of security, slowly getting there), more than a tool to prevent eavesdropping on users secrets.

[owl57]

If you have a service that shares information between people all over the world, a few big companies and one government is for most cases an improvement over all the involved ISPs and all of their respective governments.

[dijit]

That's not the trade-off you make though.

The involved ISP and respective governments do still see everything, but also cloudflare and the US ISPs they use see it in the clear.

Also the US has a history of abusing its position here, even with less honeypot like companies.

[lesostep]

The problem is that finding a root source of trust aren't easy this days. LE was neutral, now nobody is.

Russian government issued their new root certificate years ago.

Nobody trusted it enough to request a certificate from them or install it on their computers. Including almost all of the russian residents.

If Let's Encrypt enforces the rules, as written in pdf, a lot of people would lose a choice.

Frankly, even publishing a statement like that would make the scales of trust tip for some.

[LtWorf]

> Nobody trusted it

Let's be real here… 99.99999999999999% of internet users have no idea what root CAs even are. It's the browser vendor mafia that makes the decision.

[cpud36]

Force the people and then give them simple instructions to install certificate. And it's done.

Forcing is as easy, as blocking access to important services behind the certificate wall.

[lesostep]

>> 99.99999999999999% of internet users have no idea what root CAs even are

that would be like *checks math* less than a human aware of root CA? Can't be right.

anyway, people living in russia are statistically more aware. There was a campaign after new root CA was issued. It was on a news, on the official channels, in the mail and on the posters. A lot of government sites begged to install them whenever you visited.

It's not like they released it silently.

[thaumasiotes]

> I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them.

Note that phones already try to prevent you from using a certificate that you provide yourself.

[fluoridation]

"Try to prevent"? What does that mean?

[trumpdong]

It means they prevent, unless you perform several undocumented arcane rituals.

[thaumasiotes]

In this case, you have to compile the OS yourself and patch the trusted certificate store.

[Parodper]

We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals.

[theamk]

I trust governments much less that a conglomerate of competing corporations.

With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better.

With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too)

[dijit]

Companies have run some absolutely outstanding PR then.

I have never worked in any company where I explicitly trust the CEO to always do the right thing in every situation.

There is usually no governance board, or review system to inquire about public harm: those things are usually external and fought against as they are regulatory burden.

So, in practice what tends to happen is that someone in the company just does stuff. Since humans aren't perfect this "doing stuff" is not always super enjoyable. If it's the CEO who "does stuff" then you're cooked because nobody except the board of directors can say anything meaningful: you gotta hope that the media wants to put pressure on.

Our elected officials on the other hand, are supposed to represent us, and thus media pressure is a lot stronger; issues that affect many people are meant to be properly reflected, and their decisions are open by default.

[theamk]

They key is multiple, competing companies. As long as they don't collude, if one company misbehaves, others will catch it.

[dijit]

Hows that going for…

… browsers

… phones

… operating systems

… network appliances

… payment transaction systems

I feel like if it fails so often then it can’t be relied on.

[toast0]

I'm not really in favor of DANE, because DNSSEC is such a mess ... but.

Certificate transparency is nice. Browsers could require it for DANE certificates, just like they require it for current Web PKI certificates.

The people controlling the TLD of interesting can exert control over the domain of interest in order to issue a DANE certificate. But they can also exert control over the domain of interest in order to request a domain control certificate, so widespread use of DANE wouldn't add any new adversaries. If DNSSEC wasn't a mess, and DANE replaced WebPKI, we would eliminate the risk from CAs without adding a new risk --- TLDs (and the DNS root) are existing risks.

[Parodper]

And if they don't, DNS is already a database. You could just query domains to check their certificates. People running recursive DNS servers could double-check certificates.

[toast0]

If the DNS takeover is limited in scope, the legitimate owner wouldn't be able to query it.

CT addresses scoped attacks by making all webpki trusted certificates public knowledge. You would want something similar with DANE.

[trumpdong]

CT seems useless for DANE because the cert is self signed, so anyone can just flood the CT with self signed certs for your website. It's useful with WebPKI because only certs signed by a CA go in CT and it's a big deal if one is mis-issued. Anyone can mis-issue a self-signed cert at home for fun.

[toast0]

You'd have to do something like pre-publish in DNS, submit to CT which verifies that it's in DNS before logging. And the CT could rate limit on domain name or something to reduce abuse.

[Parodper]

> every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse.

Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage.

> With DANE (or other country-issued certificates)

DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries.

[theamk]

DANE is entirely dependent on DNSSEC, and DNSSEC is, by design, under the government control, with all the bureaucratic mess and mistakes this implies.

This would be pretty terrible if anyone actually cared about DNSSEC, but luckily for us, no one cares.. So let's keep things this way.

[trumpdong]

Domain registries can already get a certificate for your domain by changing the address to their own server temporarily and then doing ACME with LE. So no new vector is introduced by directly putting the cert in DNS.

[Parodper]

You obviously don't know how DNSSEC works. The DNS root of trust is ICANN, not a government.

[xorcist]

> I trust governments much less that a conglomerate of competing corporations

Let's not create a world wide PKI based on a political ideology.

> country-issued certificates [...] every government will absolutely double-issue certificates

This is such a strange argument. If you register a .ru domain, do you really think you are safe should the Russian intelligence services ask for a valid certificate? Controlling the actual domain, they could issue ask many domain validated certificates as they wish.

The problem with our current SSL PKI, as so very many people have pointed out over the years, is that any CA is allowed to issue valid certificates for any domain name. There have been proposals to use X.509 extensions to remedy this, but they have seen lesser real world usage than the various certificate revocation schemes, which is very close to zero already.

If there was no way for a Russian CA to issue certificates for .us domains, real world security would improve. A lot. And the other way around, of course.

Feel free to s/Russian/Chinese/ in the above argument or whatever tickles your geopolitical fancies. The argument still stands.

Domain registries decide who owns what domain. That is their literal role. You would think that asserting this ownership cryptographically would be a no-brainer in 2026. Yet we have this discussion over and over again. There are many people whose income quite literally depend on the status quo of our global SSL PKI, which coincidentally also offers no end of possibilities for the various intelligence services around the world.

The next time someone tries to scare you with that governments or intelligence services control DNS and therefore it would be crazy to limit issuance of certificates to them, take a look where they have contracts.

[toast0]

> The problem with our current SSL PKI, as so very many people have pointed out over the years, is that any CA is allowed to issue valid certificates for any domain name. There have been proposals to use X.509 extensions to remedy this, but they have seen lesser real world usage than the various certificate revocation schemes, which is very close to zero already.

Some of the browser root programs include (or have included) restrictions on what tlds a CA is allowed to sign. I think for some of the iffier CAs that nonetheless had a huge marketshare in their country of origin.

No need for the CA itself to include it in their root certificate.

It would be handy if the name restrictions actually worked though. Then you could probably get a CA to sign an intermediate CA authorized only to issue certs for your domain(s). There are some CAs that will do that already where they provide an HSM with the intermediate CA's key that will only sign certs for authorized domains, but the CA cert does not encode the constraint and this is permitted by the ca/b agreement. It just seems like it'd be nicer if it just worked.

[Parodper]

Unfortunately the CA/B Forum has high requirements for constrained subordinate CA certificates[1], which to me sounds a lot like regulatory capture.

[1] https://community.letsencrypt.org/t/sub-ca-with-wildcard-cer...

[gopher_space]

> I trust governments much less that a conglomerate of competing corporations.

There’s no essential difference between the two from my perspective. Why are these my only choices?

[r-w]

One, in a democracy, is accountable to adults in the same jurisdiction. The other is only accountable to those with financial ties to its success.

[coldtea]

>One, in a democracy, is accountable to adults in the same jurisdiction

Or so they say. How's that been working out in practice?

[Parodper]

What other choices are there?

An international body might work, or just move the issue one step back.

[account42]

Pretty much any big government has a CA they can exert direct control over whenever needed.

[theamk]

Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example.

And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.

If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?

[0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov...

[JumpCrisscross]

Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1].

I didn’t realize the slapped their face on the pavement right after being acquired.

[1] https://en.wikipedia.org/wiki/DigiNotar

[Fnoord]

The Dutch government didn't exercise control over Diginotar.

In the Dutch hacker scene, Diginotar was a meme. Everyone knew it was a mess there.

[account42]

Do we also need to put all our letters into strongboxes before we send them?

Maybe we should have solve the ISP snooping problem by making that illegal instead.

[theamk]

This just leaves every single public Wifi network - which used to mess with traffic a lot

[cyanydeez]

Guys, we live in a society.

[lxgr]

> Do we also need to put all our letters into strongboxes before we send them?

If it were as cheap and efficient as TLS these days, yes, absolutely

> Maybe we should have solve the ISP snooping problem by making that illegal instead.

We could do both! ISP snooping is still a problem for metadata (SNI).

[account42]

Apparently the cost of TLS these days is to subject yourself to whatever laws that countries of "free" TLS want to impose on you. That isn't very cheap.

[lxgr]

I'd also love TOFU for TLS, at least on .local TLDs, but for publicly hosted websites, I've come around to the idea that maybe encryption without authentication would not help that much these days.

As for who does that authentication: Given all the suggestions in the sibling threads, I really don't think we're in a situation where there's a single entity gatekeeping access by any means.

[kube-system]

The entire point of a trust model is to exclude people. That's the stated goal.

If you want encryption without trust, just use self-signed certs.

[13415]

The problem is that the current trust model is totally untrustworthy.

[kube-system]

Philosophically, trust isn't a "solvable" problem. It can only be mitigated to varying degrees. However, some degree of trust is probably better than none.

[13415]

One thing is sure, pinning trust on trust chains down from Root Certificate Authorities is fundamentally incompatible with our notion of trust and an almost absurd idea to start with. Most people using a browser don't even know any person from such an organization nor would or should they have any rational reason to trust them.

[kube-system]

> our notion of trust

I suspect I may have a different notion of trust than you

> Most people using a browser don't even know any person from such an organization nor would or should they have any rational reason to trust them.

Back up one step further -- most people using a browser don't understand the problem set we're talking about even exists

[13415]

As long as you're human, you don't have a substantially different notion of trust than I do. It's part of human psychology. We had to evolve it as social beings. I've seen very ad hoc CS papers on "trust", though, which IMHO were based on nothing but fantasy. Perhaps you had one of those re-definitions in mind. I tried to contribute to this pointless literature myself for a while until I realized that it's completely fictitious. All you can say from a mathematical perspective is that trust builds up very slowly based on a numerous factors and, if betrayed, goes down very fast and stays there. However, the notion doesn't have enough substance for a fruitful non-psychological modeling; there is just not enough ideal rationality behind it.

[lxgr]

If you don't care about who you're talking to, why use certificates at all?

[kube-system]

If you don't care about who you're talking to, why use encryption at all?

[palmotea]

> This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.

I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.

[account42]

You could that with a much saner approach like DANE.

[franga2000]

Not back when SSL and the PKI ecosystem was developed.

[trumpdong]

Yes actually you still could've. But it would require a pass through the IETF to stabdaddize a DNS record type, and that would delay Netscape's release.

[franga2000]

Any DNS-based solution needs something like DNSSEC to work. I believe DNSSEC didn't exist yet when HTTPS was being developed and even if it did, it wasn't anywhere near ubiquitous enough. Is it even these days?

[tptacek]

No, fewer than 5% of North American DNS names are signed, and the number has gone down over some recent years.

[account42]

That's kind of like saying that any CA-based solution needs something like a root program. Sure, but that would just be part of creating a DANE-like solution. Both the current CA solution and DANE or another hypothetical DNS-based solution are fundamentally similar on a technical level: hierarchical delegation of authorization backed by public key crypto. The main difference is where on the delegation chain you limit authority for further delegation and who controls the root. The DNS-based approach has the crypto system reflect real ownership while the CA-based approach has browsers makers at the top and whoever pays enough money and hasn't publicly fucked up yet at the middle with delegated authority to sign literally everything.

[watwut]

I always thought the main goal was to force people to pay money for certificates.

[ekr____]

Let's Encrypt certificates are free.