[cryptography] Let's go back to the beginning on this

Seth David Schoen schoen at eff.org
Wed Sep 14 17:52:15 EDT 2011

Arshad Noor writes:

> I'm not sure I understand why it would be helpful to know all (or any)
> intermediate CA ahead of time.  If you trust the self-signed Root CA,
> then, by definition, you've decided to trust everything that CA (and
> subordinate CA) issues, with the exception of revoked certificates.
> Can you please elaborate?  Thanks.

Of course, intermediate CAs are sometimes created for purely
operational reasons that may be quite prudent.  But delegating
root CA-like power to more distinct organizations creates risk.

Without external double-checks, the integrity of the CA system is as
strong as its weakest link, so every new CA is an additional
independent source of risk.  When CAs delegate to intermediates,
those intermediates can add new kinds of risk:

* they could be in different jurisdictions, so there's new risk that
  the legal systems in those jurisdictions could try to compel them
  to misissue*;

* they could be run by different people who could be persuaded to
  misissue in new ways;

* they could use different software or hardware or operating systems
  that could have different vulnerabilities;

* they could use different crypto primitives when issuing legitimate
  certificates that could have different vulnerabilities.

Whether or not the new CA does a worse job overall than the old CA, it
still creates new risk -- by CA proliferation!  (In fact, there are
already some cases showing that intermediate CAs _aren't_ always as
cautious or competent in practice as the roots that delegated to them.)

More fundamentally, as Peter Biddle points out, trust isn't
transitive.  Suppose we think that a particular CA is super-awesome
at verifying that someone owns a domain and issuing hard-to-forge
certificates attesting to this fact, while resisting compromises
and coercion.  That doesn't necessarily mean that it's also a good
judge of whether another organization is also a good CA.

Even giving the PKIX status quo the benefit of the doubt, the root
CA decisions are supposed to be made by neutral parties following a
careful process that includes input from professional auditors.  When
CAs get in the habit of delegating their power, that process is at
risk of being bypassed and in any case starts to happen much less
transparently.  There are plenty of cases in the real world where
someone is trusted with the power to take an action, but not
automatically trusted with the power to delegate that power to others
without external oversight.  And that makes sense, because trust isn't

* see https://www.eff.org/files/countries-with-CAs.txt

Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107

More information about the cryptography mailing list