A New (security) Certificate Authority

In these post Edward Snowden days, and with that, for the moving all internet standards to be encrypted end-to-end:

There is soon to be a new (freely available?) CA?

Here is some recent good comment from our maillist:

Mike-C wrote:

Jason-I wrote:
Have folks heard of this?

Let’s Encrypt is a new Certificate Authority

Yes. Looks very good. Unless you work for an existing CA.

El Reg: Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority

Non-El Reg: Launching in 2015: A Certificate Authority to Encrypt the Entire Web

Enough to restore some faith in the CA system

Not sure about that. If anything, every time you add a new CA, all you’re doing is making it so that there are more organisations who can potentially be compromised or coerced into signing a certificate which they shouldn’t.

or do things like these remain the way forward:

Convergence [An agile, distributed, and secure strategy for replacing Certificate Authorities]

Perspectives Project [With Perspectives, public “network notary” servers regularly monitor the SSL certificates used]

I’m not convinced these systems would work at scale. I.e, if every browser had it built in. I don’t think there would be enough notaries to make it work. Unless an organisation like Google came along and hosted them. But then you lose the variety, and the “trust agility” with it.

Certificate transparency is an interesting idea: Certificate Transparency

Also, HTTP Public Key Pinning: HTTP Public-Key-Pinning explained

I think some combination of traditional CA, DANE, certificate transparency and key pinning is the way forward. They can all work side by side. The difficulty is in making it easy to set up and maintain these features. One mistake and all of a sudden nobody can access your website any more.

Leave a Reply