nanog mailing list archives
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Mon, 14 Mar 2022 00:18:39 +0900
Sean Donelan wrote:
You'll notice there still isn't a CA trust list for use in the USG :-)
It merely means that PKI does not have its own security and relies on trust for all the CAs (not only the root ones), which means PKI is as secure as the plain Internet, which is secure if all the ISPs are TPPs (trusted third parties). If you can assume all the CAs are TPPs, you can also assume all the ISPs are TPPs.
About 95% of the TLS certificates globally are ultimately signed by aboutsix CA organizations depending how you track ownership. (I know, multiple "abouts" in that sentence). The long tail of global business, means most operating systems ship (or after the installation autoupdate) with 100+ trusted certificate authorities by default.
The number of blindly trusted root CAs is irrelevant because PKI with just one not-so-trustworthy root CA is bad enough. PKI is just insecure. Masataka Ohta
Current thread:
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM, (continued)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Jay R. Ashworth (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM William Herrin (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Dario Ciccarone (dciccaro) via NANOG (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 12)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Carsten Bormann (Mar 13)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 17)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Masataka Ohta (Mar 13)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Miles Fidelman (Mar 13)