←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 5 comments | 30 Nov 24 21:35 UTC | HN request time: 0s | source
Show context
danpalmer ◴[01 Dec 24 00:47 UTC] No.42285229[source]
This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.
replies(8): >>42285389 #>>42285408 #>>42285431 #>>42285622 #>>42286061 #>>42286142 #>>42286897 #>>42287654 #
jsheard ◴[01 Dec 24 01:23 UTC] No.42285389[source]
What is even the point of a web CA that isn't trusted by all of the major players? Is there one?
replies(3): >>42285424 #>>42285444 #>>42285550 #
tialaramex ◴[01 Dec 24 01:36 UTC] No.42285444[source]
These are generally government CAs, so, typically the situation is Microsoft sold the government Windows, and as part of that deal (at least tacitly) agreed to the CA being trusted, and so every system that's trusting these certificates is a Windows PC anyway, running Edge because the whole point was the government will only use Windows and pays Microsoft $$$.

Why bake it into everybody else's Windows? If you make say a Brazil Government-only Windows which trusts this CA instead, I guarantee somebody crucial in Brazil will buy a 3rd party Windows laptop independently and it doesn't work with this CA's certificates and that ends up as Microsoft's problem to fix, so, easier to just have every Windows device trust the CA.

They'll have an assurance from the CA that it won't do this sort of crap, and that's enough, plausible deniability. Microsoft will say they take this "very seriously" and do nothing and it'll blow over. After all this stuff happened before and it'll happen again, and Windows will remain very popular.

replies(4): >>42285464 #>>42285561 #>>42285818 #>>42285942 #
awinter-py ◴[01 Dec 24 02:03 UTC] No.42285561{3}[source]
what's the state's interest in having their CA built into windows?
replies(7): >>42285580 #>>42285679 #>>42285705 #>>42285808 #>>42285814 #>>42285837 #>>42286935 #
1. mnau ◴[01 Dec 24 02:38 UTC] No.42285705{4}[source]
E.g. identity verification. My state has a "qualified" certificate that can be used to sign contracts and basically everything else you can do in-person. When you can transfer you home with that, there are higher requirements on checking the identity of a person who gets the certificate.

That CA is not used for much else and is basically confined to our state. But it has to be in Windows, otherwise no other software could verify the signatures.

See eIDAS and other similar schemes.

replies(3): >>42286944 #>>42288746 #>>42292455 #
2. tsimionescu ◴[01 Dec 24 07:51 UTC] No.42286944[source]
Why would you want to mix identity verification with the WebPKI? This makes no sense at all. Just because a CA is trusted for web verification doesn't mean it's trusted for identity verification, machine enrollment, or any other purpose. And vice-versa: a CA for identity verification is not in any way trusted for web verification.
replies(1): >>42288754 #
3. Muromec ◴[01 Dec 24 14:59 UTC] No.42288746[source]
You don't really need your CA doing eIDAS in the system root. This scheme works as a closed system where you need eIDAS app to produce the artifact and another eIDAS app to verify it, when both have their own non-system root.

Ukraine for example successfully operates their own eIDAS-like scheme where everything is based on DSTU+GOST algos not supported by any operating systems a major libraries, the certs are signed by the government root and it doesn't leak into web pki.

4. Muromec ◴[01 Dec 24 15:00 UTC] No.42288754[source]
I think the idea was to use client certs for strong authentication on the government web services, which didn't rally took off, except maybe in Estonia.
5. estebarb ◴[02 Dec 24 02:12 UTC] No.42292455[source]
It doesn't have to be. In Costa Rica the Central Bank has their own CA for the same purpose. We need to download the certificates ourselves. It is inconvenient, but an error by that CA won't propagate to the rest of the world.