(Renaming the thread to fork this particular discussion from any others on this transaction.)
You raise a fair point, Ryan: I'm not well versed in how Let's Encrypt went about establishing their roots. I thought I had a good understanding but perhaps I had missed something. When I went to the Let's Encrypt site I found a diagram that showed one of their intermediates as cross-signed by IdenTrust; no mention of a root acquisition.
Again, perhaps I've missed something so please let me know if that's the case. In a ironic way, this very uncertainty demonstrates the kind of confusion I was trying to highlight with my is-it-Google-or-GlobalSign comments.
I think Kurt and I are on the same page regarding the precedent being established in this and prior acquisitions. In fact, I probably incorporated some of his points in my own commentary. I'm not sure if he'll agree with the what I view as the danger here: By purchasing a single root certificate, Google (and anyone else) is redefining the very concept of "trust anchor".
Back in the early SSL days, one could look at the root cert, see the name on it, and decide right away if it's trustworthy ("oh yeah, I know VeriSign"). In other words, trust was contained entirely within the sequence of bytes that make up the root cert combined with one's own experience.
A significant change to that model happened when CA companies began to be purchased by other companies. However, since they were complete acquisitions, it isn't so hard to add that one tidbit of knowledge to the thought process ("oh yeah, Symantec and VeriSign are the same"). So during this period of time trust was contained within the root certificate itself in conjunction with one's own experience and knowledge of CA company acquisitions.
As more roots entered the scene, it became more frequent for one to encounter a root CA company that was unfamiliar. However, one could decide to ignore it because it was in another jurisdiction (country, government institution, etc.) that was not pertinent. Or one could, in fairly short order, do some Internet research on the CA company and make a decision--including possibly reading their CP/CPS. So, in essence, the anchor of trust is contained within the root cert combined with one's own knowledge, experience, and some research.
Now, however, we are faced with a entirely different situation wherein the root certificate itself contributes little to establishing trust for a certificate chain. Any information contained in the cert is merely a starting point to research that particular cert: one must first determine who currently owns that root, possibly research the CA company if it's unfamiliar ("I know Google but what is this GTS all about?"), and probably find and read the CP/CPS to find the details about the new ownership ("so who is handling revocation now?").
The kicker in all this is that one must perform these steps for every root one encounters, every time one encounters it: Did GlobalSign sell any other roots since the last time I checked? Has Google transferred ownership of the GlobalSign roots they purchased on to someone else? What about this Amazon root or Comodo or...?
In other words, what used to be a trust anchor is now no better at establishing trust than the end-entity cert one is trying to validate or investigate (for example, in a forensic context) in the first place. I hardly think this redefinition of trust anchor improves the state of the global PKI and I sincerely hope it does not become a trend.
On 2017-03-23 16:39, Ryan Sleevi wrote:
> On Thu, Mar 23, 2017 at 8:37 AM, Peter Kurrasch via dev-security-policy <
> firstname.lastname@example.org> wrote:
>> I would be interested in knowing why Google felt it necessary to purchase
>> an existing root instead of, for example, pursuing a "new root" path along
>> the lines of what Let's Encrypt did? All I could gather from the Google
>> security blog is that they really want to be a root CA and to do it in a
>> hurry. Why the need to do it quickly, especially given the risks (attack
> Clarification: I'm not speaking on behalf of Google
> I think this demonstrates a lack of understanding of what Let's Encrypt
> did. Let's Encrypt obtained a cross-signed certificate (from IdenTrust),
> which is "purchasing" a signature for their key. This is one approach.
> Purchasing a pre-existing signature (and key) is another. They are
> functionally equivalent.
> So what Google has done is what is what Let's Encrypt did.
There are a few difference between the two:
- With the signature from IdenTrust, Let's encrypt is not a trusted root
CA, it's an intermediate CA. The ISRG also generated it's own root CA.
- Let's encrypt has it's own name (Let's encrypt, ISRG) on the
certificate. It's clear who the owner of the certificate it. It's not
clear that a GlobalSign certificate is not owned or controlled by
GlobalSign but instead by some other corporation that doesn't have any
relation to the first.
I find this second point rather annoying. As far as I know it's not the
first time something like that happened. I would not have a problem with
something like that if Google bought (all CAs from) GlobalSign, but I
dislike that some CAs which appear to be from the same company are
actually owned by several unrelated ones.
dev-security-policy mailing list
_______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy