I think the point Eric was trying to make is that while, indeed, the initial,
stated goal might be to be able to issue certificates to replace those expired
or expiring, there's just a jump/skip/hop to force installation of this root CA
certificate in all browsers, or for Russia to block downloads of Firefox/Chrome
from outside the Federation, and instead distribute versions which would
already include this CA's certificate. And then MITM the whole population
without their knowledge or approval.
GIVEN: savvy users might know how to delete the certificate, or others may
teach them how, and how to download other CA's certificates (if the government
was to ship only this certificate with the browser). Cat and mouse game. The
North Korean and Chinese governments have been doing these kind of shenanigans
for a long time - I am sure Russia could copy their model. And considering the
tight media control they’re already exercising, I don't think it is crazy or
paranoid to think Internet will be next. They seem to be already going down
that path.
PS: opinions and statements, like the above, are my very own personal take or
opinion. Nothing I say should be interpreted to be my employer's position, nor
be supported by my employer.
On 3/10/22, 7:38 PM, "NANOG on behalf of Sean Donelan"
<nanog-bounces+dciccaro=cisco....@nanog.org on behalf of s...@donelan.com>
wrote:
On Thu, 10 Mar 2022, Eric Kuhnke wrote:
> I think we'll see a lot more of this from authoritarian regimes in the
> future. For anyone unfamiliar with their existing distributed DPI
> architecture, google "Russia SORM".
Many nation's have a government CA.
The United States Government has its Federal Public Key Infrastructure,
and Federal Bridge CA.
https://playbooks.idmanagement.gov/fpki/ca/
If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your
computer needs to have the FPKI CA's. You don't need the FPKI CA's for
other purposes.
Some countries CA's issue for citizen and business certificates.
While X509 allows you to specify different CA's for different purposes,
since the days of Netscape, browsers trust hundreds of root or bridged CA
in its trust repository for anything.
Neither commercial or government CA's are inherently more (or less)
trustworthy. There have been trouble with CA's of all types.
A X509 certificate is a big integer number, in a fancy wrapper. Its not a
magical object.
