Chris's Wiki :: blog/web/LetsEncryptMonoculture Commentshttps://utcc.utoronto.ca/~cks/space/blog/web/LetsEncryptMonoculture?atomcommentsDWiki2017-12-14T19:57:01ZRecent comments in Chris's Wiki :: blog/web/LetsEncryptMonoculture.By Kristof Provost on /blog/web/LetsEncryptMonoculturetag:CSpace:blog/web/LetsEncryptMonoculture:c35ef4ce5f9789bb4e1c2b27f1ed4d2aceb88b20Kristof Provost<div class="wikitext"><p>The CA ecosystem is interesting, in that I'm not sure a monoculture is neccesarily a bad thing. Usually it is, of course, because a flaw in one variety would affect everyone. The thing about CAs is that we're only ever as safe as the least safe of the bunch. The weakest link will break security for everyone, irrespective of what CA they happen to use. It doesn't matter that Google use CA X, if CA Y messes up and issues a certificate for Google.com to the wrong people Google and all of their users still have a problem. </p>
<p>In other words: variety here tends to reduce overall robustness rather than increase it.
There are still other reasons to have multiple CAs, but a large reduction in the number of (the commonly trusted) CAs would likely be a very good thing.</p>
</div>2017-12-14T19:57:01Z