Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Richard Barnes richard.barnes at gmail.com
Sun Sep 11 18:47:03 UTC 2011

There's an app^W^Wa Working Group for that.

On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones <mike at mikejones.in> wrote:
> On 11 September 2011 16:55, Bjørn Mork <bjorn at mork.no> wrote:
>> You can rewrite that: Trust is the CA business.  Trust has a price.  If
>> the CA is not trusted, the price increases.
>> Yes, they may end up out of business because of that price jump, but you
>> should not neglect the fact that trust is for sale here.
> The CA model is fundamentally flawed in the fact that you have CAs
> whose sole "trustworthiness" is the fact that they paid for an audit
> (for Microsoft, lower requirements for others), they then issue
> intermediate certificates to other companies (many web hosts and other
> minor companies have them) whose sole "trustworthiness" is the fact
> that they paid for an intermediate certificate, all of those
> companies/organisations/people are then considered trustworthy enough
> to confirm the identity of my web server despite the fact that none of
> them have any connection at all to me or my website.
> There is already a chain of trust down the DNS tree, if that is
> compromised then my SSL is already compromised (if they control my
> domain, they can "verify" they are me and get a certificate), what
> happened to RFC4398 and other such proposals? EV certificates have a
> different status and probably still need the CA model, however with
> "standard" SSL certificates the only validation done these days is
> checking someone has control over the domain. DNSSEC deployment is
> advanced enough now to do that automatically at the client. We just
> need browsers to start checking for certificates in DNS when making a
> HTTPS connection (and if one is found do client side DNSSEC validation
> - I don't trust my ISPs DNS servers to validate something like that,
> considering they are the ones likely to be intercepting my connections
> in the first place!).
> It will take a while to get updated browsers rolled out to enough
> users for it do be practical to start using DNS based self-signed
> certificated instead of CA-Signed certificates, so why don't any
> browsers have support yet? are any of them working on it?
> - Mike

More information about the NANOG mailing list