> The webpki is changing dramatically. The amount of CAB/forum violations
> seems to be increasing, partially as a result of these violations getting
> exposed
> by certificate transparancy and perhaps partially because of the financial
> strain
> caused by the free LetsEncrypt.

Uniformed speculations that are just flat out wrong do not help anyone.

LetsEncrypt, if anything, has been a big help to the CA industry.  Both free 
and paid offerings are seeing significant growth.  Let's not spread FUD about 
"financial strain" that does not actually exist.  And furthermore, it's best 
not suggest hypothetical unproved ("seems to be") observations are caused by 
the previously mentioned cause that doesn't actually exist.  That's 

Tools like cablint have actually contributed far more to improvements in the 
technical compliance of certificates from vendors who previously didn't adhere 
that closely to strict compliance with RFCs, CABF requirements, required 
certificate profiles, and so on.  CT is less responsible, as it is only 
required for EV (though many large CAs have voluntarily started logging all 
certificates).  Many bad certificates were still found the old fashioned way: 
by crawling for them.

There's an old story about an intelligence analyst who found a handful of 
suspicious structures in a remote desert.  More resources were assigned to 
figure out what they were.

A few months later, the number of structures was observed to be increasing 
rapidly.  More resources were assigned.

Pretty soon, new ones were found every day.  People started panicking, and 
someone was dispatched to investigate on the ground.

It turned out to be a kind of water condenser common in the region, and the 
increase in numbers was only because people had started looking for them. 
They had always been there, just no one paid attention to them.

The truth is that the increase in activity around problems with various 
certificates is because people are just paying far more attention to even the 
smallest, most obscure details of every issued web PKI certificate these days: 
far, far more than they did even just two or three years ago.

And that's a good thing, not a bad thing.  Progress is being made.  The 
certificates being issued by almost every CA out there are much technically 
cleaner than they  were when I first started doing CA things, maybe five years 

The Symantec swamp cleanup effort is also responsible for a significant 
fraction (the majority?) of recent reports.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

TLS mailing list

Reply via email to