Does your Certifying Authority have a clue who you are? Do they care?

Bob Beck beck at
Fri Dec 5 01:52:39 UTC 2003

	So, an interesting thing happened to me yesterday.

	I run OpenBSD's site. Of course, we have an
SSL Site certificate for this site. When we first started the site,
(about 6 years ago) we got a site certificate from Thawte. Back in
these days they were based in South Africa, and had a Canadian Legal
firm to verify who we were. So of course, Theo had to fax them some
stuff, as did I. etc. etc.  The whole process was rather painful,
particularly since "OpenBSD" isn't a company, so we couldn't exactly
send incorporation documents and the like. Nevertheless, supposedly
this is to provide some sort of protection for people - that "OpenBSD"
really is who it claims to be. 

	So, time comes to renew the certificate again, and give Thawte
their bi-yearly sum to keep our server cert alive. Every other year,
the renewal process has been automatic, They already have our
documentation on file so presumably they can and do check this. This year,
they know nothing, They have been bought by verisign and they want new
documentation. The conversation went something like this:

<"What happened to our previously sent documentation?"
>"It's in a warehouse in Canada, because we changed how we do things"
<"Why can't you get it from there - We're a multinational volunteer organization, coming up with any sort of stuff like this is a pain"
>"Well, we can't". 
<"So you've lost it?"
>"No, we know where it is, it's in the Warehouse"
<"Well, you can't get it because you don't know where it is in the Warehouse"
>"Yes, so what can you send us?"
<"Are you going to get the documents from Canada?"
>"Yes, but we're not sure when or how?"

	So the long and the short of it is, our CA has *LOST* the
documents showing who we are, and wants new ones. Had someone
previously filed fraudulent documents to obtain an ssl certificate,
they wouldn't have copies of those. So, the real question is, what
good does it do to send supporting documentation to these services, if
all they do is lose them? Is this really providing anyone with any
security, or is this really just a thinly veiled revenue generation
procedure. If they can't even produce the documentation used to
support a certificate they've issued, then why the heck ask for, and
charge money for this in the first place? Of course my certificate is
good for X years, not to protect me from my cert being exposed, but
just to get more money after X years. Certificate revocation? Who 
actually uses that, for real, in a manner that any widespread public
apps (i.e. web browsers) will pay attention to?

	Needless to say, any real confidence I (used to) have in
Thawte (back when it made Mark Shuttleworth enough money to buy a ride
on the space station) is really no more. (And no, I never really did
have any confidence in https, because of the human engineering issues)
Anyway, we got a new cert from a provider that only cares about domain
ownership, which works fine. The real question is, between the fact
that the web browsers makes it so easy for knuckle dragging apes to
accept any certificate out there anyway, and if the CA's aren't doing
anything to speak of with the "Supporting Documentation", Who are we
kidding that there's any real point (security wise) to this exercise?
Time for a new protocol that just stores the public key the first time
like SSH, and the user maintains their own list? Really, is that any
less secure than this ongoing nonsense from a practical perspective?
(Other than there's no way for CA's to make money off of it?)



More information about the NANOG mailing list