The problems I see with multi-signed SSL in practice

January 11, 2009

Given both the need for certificate authorities and the practical weaknesses that they have, it would be nice if it was easy to drop a CA without causing massive havoc. The most straightforward way to implement this is to allow SSL certificates to be signed by more than one authority, and to be considered valid if any of authorities is trusted.

The problem with this is economic. Each CA is going to have to charge you their own payment in order to sign your certificate, which means that most people will never buy this 'insurance'. Because that's what it is; it enables no extra functionality, it just keeps your website going if your original CA screws up or goes bad. Worse, this is an unlikely event that could be fixed fairly fast if it happened at all, so why pay in advance? Thus, the likely result is that most certificates will still only have a single CA's signature, and you have not made it any easier or less disruptive to pull a CA's root certificate.

(If having signatures from multiple CAs becomes part of some 'extended validation' scheme, it will be correctly seen as yet another attempt by CAs to extract even more money from certificate users.)

Why do CAs have to charge you?

Given the issues with the web of trust model and that you cannot ask users to manage their own security, the trust roots basically need two properties: they have to be sufficiently trustworthy that they can be included in browsers by default, and they must be basically 'flat', more or less directly signing website certificates. Since the trust root needs to be flat, the CA has to deal with all of the signature volume itself, with enough care and validation to be trusted; it cannot push parts of the load off on to third party volunteers. And as we've seen over and over, free volunteer work does not scale above a certain volume level, where it exhausts all of the free time and free resources.

(Web of trust based systems can operate for free because they distribute the volume; any given node in the web only signs a relatively low volume of things, and nodes can just decline to sign at all if they're overloaded because the 'customers' can just go find another node.)

Written on 11 January 2009.
« You cannot ask users to manage their own security
What I want out of NFS security, at least at the moment »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 11 02:09:04 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.