Chinese root CA issues rogue/fake certificates

Eric Kuhnke eric.kuhnke at
Thu Sep 1 01:42:48 UTC 2016

"Too big to fail"

Where have we heard that before?

If business risk/continuity people knew not only how much of a single point
of failure a root CA is, but other basic stuff like "Maybe it shouldn't be
possible to login to your domain registrar's control panel with the
password known by Bob from Accounting, who wrote his pet's name down on a
post-it note that he keeps in his desk drawer, and then point all the
NS1/NS2/NS3 and glue records somewhere else..."

On Wed, Aug 31, 2016 at 6:36 PM, Matt Palmer <mpalmer at> wrote:

> On Wed, Aug 31, 2016 at 10:45:48AM -0800, Royce Williams wrote:
> > Hypothetically, it would be an interesting strategy for a CA to
> > publicly demonstrate this level of competence:
> >
> >
> an-ssl-certificate-for-github-com
> >
> > ... while at the same time taking over another large install base like
> > StartSSL's (an install base fueled by offering free certs).
> >
> > If one got caught doing something naughty, one could buy time by A)
> > playing the incompetence card a few times, and B) having a large
> > enough deployment that it becomes non-trivial for the browsers/OSes to
> > revoke you outright.
> Honest Achmed's business model wins again!
> I'm pretty sure that's how this is going to go down here, too, incidentally
> -- there's just waaaay too many sites using WoSign (and StartCom) for the
> CAs' roots to just be pulled.  Sad, but true.
> > Also, this is a cautionary tale about certificate diversity.
> >
> > Because of relative issuer stability, orgs have had the luxury of
> > depending wholly on a single cert supplier. The risk/continuity folks
> > might want to model some "one of our major certificate issuers just
> > got globally revoked" scenarios - if they haven't already.
> I'd be surprised if most business continuity people could even name their
> cert provider, and most probably don't even know how certs come to exist or
> that they *can* be made useless on a wide scale by the actions of,
> seemingly, an unrelated third party.  It's a system nearly without
> precedent, when you think about it.  In fact, my gut feel is that, if they
> really understood the system, most risk/continuity folks would scream "are
> you f**king kidding me?  That's ridiculous!".
> Thanks, Netscape.  Great ecosystem you built.
> - Matt
> --
> Talk about unlucky. D'you know, if I fell in a barrel of tits I'd come out
> sucking me thumb.
>                 -- Seen on the 'net:
> rights.html

More information about the NANOG mailing list