But that only explained the part that works well. This week, I’ll tell you where it has been falling apart.
A root CA can create something called a subordinate CA or sub-CA certificate, or an intermediate CA certificate. The holder of one of these can create certificates that are treated as being as valid as if they had been signed by the ultimate root authority themself.
The people who designed PKI intended that these certificates be used to delegate certificate signing down to subunits of the overall authority. For example, a multinational CA to delegating authority to its national or regional divisions.
However, the math works the same even if the intent doesn’t “follow the rules.”
Some organizations want to monitor traffic in and out of their site for data loss prevention (or DLP) even though it is protected by the encryption of HTTPS. So one workaround is to set up a reverse proxy which masquerades as the entire Internet to inside clients. You create a public/private key pair for the proxy, and wrap the public key inside a certificate which you create and then install on all interior clients as a trusted root authority. The interior clients believe they are making a root-CA-authenticated connection to the real server. Actually they are making an HTTPS connection to the reverse proxy, which decrypts and inspects the data, and (if allowed) sends it into a second HTTPS connection from the exterior of the reverse proxy to the server.
Sometimes, however, a root CA gets convinced to sell one of their customers a subsidiary CA, which gives that customer the ability to masquerade as any site on the Internet.
The most recent prominent example of this happened back in December. On 7 December 2013 a Google blog reported that on the 3rd they became aware of unauthorized digital certificates for several Google domains. They had been issued by an intermediate certificate authority linking back to ANSSI, a French CA.
This was detected by Chrome, which connects to google.com via HTTPS to check for updates, and Chrome knows what the Google public keys really are. If it presented with a non-Google key which seems to verify via one of the real root CAs to be a Google key, it reports this.
Google first announced that Chrome was revoking the spurious certificate. Within a week Google confined ANSSI to the Francophone part of the Internet, only trusting ANSSI-signed certificates to these top-level domains:
.pm Saint-Pierre et Miquelon
.mf Saint Martin
.wf Wallis et Futuna
.pf Polynésie française
.nc Nouvelle Calédonie
.tf Terres australes et antarctiques françaises
But this was nothing new. Next week I’ll tell you about earlier events in this troubling trend.