Why being able to partially distrust a Certificate Authority is good

December 6, 2022

One of the arguments I've heard against supporting partial distrust of Certificate Authorities in places like Linux root certificate stores (which you currently can't really do) is that a bad CA can simply backdate TLS certificates to get around things like 'certificates issued from December 1st 2022 onward won't be trusted'. On the one hand, this is technically true (although these days either such a TLS certificate wouldn't be usable in the majority of web browsers or it would soon be detected through Certificate Transparency logs). On the other hand, there are a collection of reasons to think that it's a good thing that browser can do this sort of thing (and thus that more software should support it).

The original view of CA trust was that it was binary; either the CA was working perfectly fine and would in the future, or the CA was entirely bad and compromised, and should be distrusted immediately. While there have been some CA incidents like this, such as the DigiNotar compromise, in practice a significant number of the CA problems that have come up over the years have been less clear cut than this, such as the WoSign case (and the WoSign case was exceptionally bad in that WoSign actively issued bad TLS certificates). The recent case of TrustCor is illustrative; as far as was reported to Mozilla (and summarized by them), TrustCor never mis-issued any TLS certificates or committed any other clear violations of CA requirements. They were merely sketchy.

The problem with fully distrusting a CA is that you cause problems for people (and software) talking to legitimate sites making legitimate use of TLS certificates from the CA. Sometimes (as with DigiNotar) there is no real choice, but often there is a balance between the harm you would do now and the harm that you will prevent in the future (and perhaps now). A partial distrust is a way to shift the balance of harm, so that you do less harm to people today at an acceptable cost for potential future harm. By reducing the clear cost, you make people more likely to take action, which improves the situation even if it's not theoretically perfect.

(Distrusting a questionable CA a year in the future, or six months in the future, or a month in the future, or starting now, is better than continuing to trust it without limit.)

The second order effect of being able to partially distrust a CA is that it gives browsers more power compared to CAs. To copy the joke about owing a bank money, if you entirely distrust a popular CA today, that's your problem (people will blame you for the scary TLS messages), while if you distrust a CA starting in six months, that's much more the CA's problem. Being able to credibly threaten CAs with distrusting future TLS certificates without breaking current users is a powerful weapon, and browsers have repeatedly been able to use it to force changes in CA behavior.

(This includes somewhat more subtle issues like browsers limiting the trust interval (starting with future certificates) or requiring CT log attestations starting at a certain point. Both of those were 'partial distrust' issues in that they initially applied to future TLS certificates, not current ones.)

Today, Linux and more generally Unix software is out in the cold on these decisions and is stuck in the binary world, with the binary choices about how many people they harm today in exchange for harm reduction. Ubuntu entirely removing TrustCor's certificates is probably the right decision overall, but it does potentially harm people using Ubuntu who have previously been talking to hosts with TrustCor TLS certificates.

Written on 06 December 2022.
« I've now disabled systemd-oomd on my Fedora desktops
My story of using Linux libvirt/KVM to get an ad hoc remote desktop »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Dec 6 23:44:08 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.