Open JamesTheAwesomeDude opened 4 years ago
JamesTheAwesomeDude
commented
3 years ago Ahaha, what a bag of fun
07:ED:BD:82:4A:49:88:CF:EF:42:15:DA:20:D4:8C:2B:41:D7:15:29:D7:C9:00:F5:70:92:6F:27:7C:C2:30:C5what a bag of fun
Have e-mailed CAcert about this, will be interested to see if they respond
JamesTheAwesomeDude
commented
3 years ago CACert's ambiguity (which we can, admittedly, put on the back burner since they aren't trusted by browser vendors and are almost completely unused on the internet) really serves to highlight the fact that we don't have a well-defined answer to the question “What does it even mean for a CA to be "in" a country?”
I stand by the telos of "greatest political exposure", but how do you define that… (I'm sure the USG, Big Red, or Putin could coerce random third-world cert issuers to do anything they wanted, but I still think labeling them by their own country is correct. Hmm…)
JamesTheAwesomeDude
commented
3 years ago Have e-mailed CAcert about this
Ah, forgot to include the e-mail
From: James Edington To: CAcert Date: Mar 12, 2021, 4:57 PM CST
Hello,
I'm currently writing a browser extension to give users more awareness and control of the trust stack behind their TLS connections. I'd like to include CACert as a supported certificate authority.
However, one of the core features of this extension will be to list at-a-glance the country of greatest political exposure for each CA. This would cover, essentially, the question: "Which country's intelligence community would have the easiest time coercing this CA's administrators to issue it fake certificates for intercepting communications of political dissidents?"
Now, most certificate authorities are quite regional — in fact, just 28 don't operate directly out of a ccTLD, and even those are all (mostly-)unitarily established in a single country.
But I'm having a hard time answering this question for CACert. Am I understanding it correctly: that your corporate registration is in Australia, the PKI server containing the keys physically resides in Holland, and a majority of the staff with physical access to it are of German nationality?
In your opinion, which of these 3 countries would have the easiest time coercing your mal-issuance of a certificate for its own surveillance purposes? How much influence could, say, the Australian government exert over your goings-on, if it decided it were in the interest of national security?
Thank you,
James Edington
JamesTheAwesomeDude
commented
3 years ago Got a very interesting (and cordial!) reply:
From: Brian McCullough To: James Edington Date: May 25, 2021, 12:59 UTC
Greetings,
… am I understanding it correctly: that your corporate registration is in Australia, the PKI server containing the keys physically resides in Holland, and a majority of the staff with physical access to it are of German nationality?
Answering as the current President of CAcert, Inc., that information is generally correct, although a little out of date.
We have just recently moved our "base of record" from Australia to Switzerland, and are in the process of announcing this to our members.
The core team responsible for the actual operation and maintenance is generally German, as you state, although there are a couple of members of other nationalities.
On the Board of Directors are, at present, two Canadians, of which I am one, an Australian, a Frenchman living and working in Poland, a citizen of Switzerland, and a couple of other members.
… In your opinion, which of these 3 countries would have the easiest time coercing your mal-issuance of a certificate for its own surveillance purposes?
That question may require more internal discussion, but, at present, I would not expect that the Australian government would have any interest or capability in influencing our activities.
While the data centre is in the Netherlands, I don't expect that there would be much that they could do to us directly, although the data centre might possibly be a target.
Finally, as I said, I would want to discuss this with various Board Members and Team Leads, but, because of our various policies governing our operations and behaviour, including the requirement for multiple people being required for certain critical operations, I can not see a lot of influence being exerted.
Thank you,
Brian McCullough
President, CAcert, Inc.
I hope that they do end up publishing whatever reports their internal commissions into that question reveal; I'm sure that such would be extremely relevant to this project or its successor.
e.g. DigiCert's "Baltimore CyberTrust Root"
The address listed in its Certification Practice Statement (linked here) is
However, it self-identifies (in its
Subject) as being based in Ireland.According to the timeline Wikipedia's editors have put together, it is currently owned by US-based DigiCert, and was only based in Ireland between
It's unclear whya root which has existed for at least twenty-two years would have in it listed a Country which was only relevant for a measly three of these (C=IE). [EDIT: the reason for this is it's coming from Mozilla's certdata.txt, line 730, which states that because it's included in the Subject, which is part of the input to the fingerprint]Should we try to parse this info out of the root cert anyway?[no](I privilege that particular site's database only because it's what the official Mozilla Wiki links to. I don't know what "reducing the amount of trusted agents" would look like here.)