[arin-announce] ARIN Resource Certification Update

Leen Besselink leen at consolejunkie.net
Sun Jan 30 09:09:02 CST 2011


Hello Carlos,

On 01/30/2011 02:57 PM, Carlos Martinez-Cagnazzo wrote:
> What I just don´t get if, we as a society, have created institutions
> we trust with our *money* (AKA banks), why there can´t be institutions
> we trust with our crypto keys. I know that banks sometimes fail, and
> yes, probably "crypto banks" will sometimes fail as well, but on the
> whole, the failure rate of trusted institutions can be quite low,
> acceptably low.
>

Well, we tried to trust the Certificate Authorities for SSL/TLS but that
has failed too.

And they don't even hold private keys.

Your browser now indirectly trusts 1000+ (sub) certificate authorities.

Do I actually trust them all ? No, I don't but they could all sign a
certificate for paypal.com* which my browser would trust just fine.

A simple example is CNNIC which is a Chinese government agency, the people
in China don't trust them, so why should I ?

Should the browser really trust a German university to sign paypal.com* ?

How about an agency in the United Emirates ? How about my own government ?

Or Time Warner/AOL or Ford Motor company or Google  ?

And so on.

https://www.eff.org/files/colour_map_of_CAs.pdf
https://www.eff.org/observatory
http://www.youtube.com/watch?v=VUKCDm04AqI
http://events.ccc.de/congress/2010/Fahrplan/events/4121.en.html
http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf

At this point, I would really like to see someone implement a
DNS-recursive nameserver which
can be configured to only trust the root to DNSSEC-sign the root zone
and nothing else. And allow
the owners/operators/whatever of .com only allow to sign .com. Nothing more.

But that isn't really what DNSSEC was designed to do. I am however glad
people are working on adding
DNSSEC to the browser and some hash in DNS which tells the browser which
certificate or CA's are
trusted for a domain.

Even though it seems to be going slow, because there are many reasons
why DNSSEC won't be deployed
to users any time soon.

* Yes, I know Paypal.com uses an EV-certificate (green bar) and there
are a lot less CA's for that, but
it is just an example of a website.

How about the Chinese government reading what you do on gmail while you
are in China ? That is
just an example of something that does not use an EV-cert.

I'm not satisfied with the banks in my country either. It seems in both
cases to be a race to the bottom.
Cuttings costs any place they can, like reducing staff. Making it harder
and harder to use cash.

The CA's seem to be a race to the bottom too. They are not spending
money trying to improve their
systems, even though the environment around them is changing. Just
trying to make money from their
existing business.

Because it already is a race to the bottom, might as well offer free
certificates so everyone can use them
to secure any site. One CA already does this: https://www.startssl.com/
They atleast to me seem to be
very proactive.

The problem with banks is, I've not found a good alternative yet.

Fully support StartSSL and RIPE for trying to lower the bar for more
security.

Have a nice weekend,
    Leen.





More information about the NANOG mailing list