> The webpki is changing dramatically. The amount of CAB/forum violations > seems to be increasing, partially as a result of these violations getting > exposed > by certificate transparancy and perhaps partially because of the financial > strain > caused by the free LetsEncrypt.
Uniformed speculations that are just flat out wrong do not help anyone.
LetsEncrypt, if anything, has been a big help to the CA industry. Both free
and paid offerings are seeing significant growth. Let's not spread FUD about
"financial strain" that does not actually exist. And furthermore, it's best
not suggest hypothetical unproved ("seems to be") observations are caused by
the previously mentioned cause that doesn't actually exist. That's
irresponsible.
Tools like cablint have actually contributed far more to improvements in the
technical compliance of certificates from vendors who previously didn't adhere
that closely to strict compliance with RFCs, CABF requirements, required
certificate profiles, and so on. CT is less responsible, as it is only
required for EV (though many large CAs have voluntarily started logging all
certificates). Many bad certificates were still found the old fashioned way:
by crawling for them.
There's an old story about an intelligence analyst who found a handful of
suspicious structures in a remote desert. More resources were assigned to
figure out what they were.
A few months later, the number of structures was observed to be increasing
rapidly. More resources were assigned.
Pretty soon, new ones were found every day. People started panicking, and
someone was dispatched to investigate on the ground.
It turned out to be a kind of water condenser common in the region, and the
increase in numbers was only because people had started looking for them.
They had always been there, just no one paid attention to them.
The truth is that the increase in activity around problems with various
certificates is because people are just paying far more attention to even the
smallest, most obscure details of every issued web PKI certificate these days:
far, far more than they did even just two or three years ago.
And that's a good thing, not a bad thing. Progress is being made. The
certificates being issued by almost every CA out there are much technically
cleaner than they were when I first started doing CA things, maybe five years
ago.
The Symantec swamp cleanup effort is also responsible for a significant
fraction (the majority?) of recent reports.
-Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
