WebPKI and You (opens in new tab)

(blog.brycekerley.net)

90 pointsaragilar3mo ago23 comments

23 comments

17 comments · 5 top-level

ocdtrekkie3mo ago· 6 in thread

There's a huge suggestion in here which would make PKI vastly more respectable: Disallowing root programs (browser operators) from also being CAs. I loudly suggested at the time Google Trust Services should be rejected but the Mozilla rep loudly defended approving a CA from a root program from a company that happens to pay their entire salary.

PKI as it stands is only a few steps from Google just deciding everyone must have a short-lived certificate from Google to be on the web.

nickf3mo ago

While I sort-of see what you're trying to say, if you knew the groups and teams involved - you'd know there was no favouritism and a strong degree of separation between CA and root programs.

The root programs who have their own CAs are also cloud providers, who arguably have a legitimate need for the CA. Or in Apple's case they have their own CA, but don't issue externally. They keep CA and root program separate.

ocdtrekkie3mo ago

I know the people involved enough to be very concerned that the CA/B decides whether something can exist on the web.

alwillis3mo ago

The CA/Browser Forum, not Google, decides the length of time certificates are valid for.

If you don’t like a particular CA’s policies, you can choose a different one.

ocdtrekkie3mo ago

That's fundamentally untrue. Browser root programs unilaterally decide their requirements, and also unilaterally boot other CA/B members out of the CA/B. The CA/B is not by any means a useful functional body, it's an excuse why companies can't be forced to undo things after the fact.

nickf3mo ago

That's absolutely incorrect. While CABF sets the 'Baseline Requirements' that ultimately go into the WebTrust audit scheme that root programs use to accept roots into their trust stores...browsers can and do set their own rules.

The reduction of TLS cert lifetime to a max of 398 days was an Apple policy.

alwillis3mo ago

> browsers can and do set their own rules.

Here's a link to the minutes of the CABF meeting where the 25 certificate issuers and the 4 browser vendors—Apple, Google, Microsoft, Mozilla—agreed to reduce the validity period of TLS certificates unanimously [1].

> The reduction of TLS cert lifetime to a max of 398 days was an Apple policy.

Actually, all of the browser vendors voted to reduce the validity period of TLS certificates from 825 days to 398 days at the September 2019 meeting. The ballot failed because a majority of the certificate issuers voted against it.

At the February 2020 CABF meeting, Apple announced it would unilaterally enforce the 398-day limit through its own root program policy. Starting September 1, 2020, any new TLS certificate with a validity period exceeding 398 days would simply not be trusted by Safari, macOS, or iOS.

This effectively made the 398-day limit a de facto standard — no CA would issue longer certificates if they’d be rejected by Apple devices [2].

    |Date             |Max Certificate Validity|SAN Data Reuse Period|
    |-----------------|------------------------|---------------------|
    |Before March 2026|398 days (current)      |398 days             |
    |March 15, 2026   |200 days                |200 days             |
    |March 15, 2027   |100 days                |100 days             |
    |March 15, 2028   |47 days                 |10 days              |
    |March 15, 2029   |47 days                 |10 days (final)      |

[1]: https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-sch...

[2]: https://www.entrust.com/blog/2020/02/apple-announces-398-day...

bob10293mo ago· 4 in thread

The short lived certificates started making a lot more sense to me when I discovered I could get Let's Encrypt to issue IP address certs. Clearly, in this context of use we need our certificates to die quickly.

You can now make any web server operate with a publicly valid TLS certificate without paying any money, registering a domain, configuring DNS or disclosing any personally identifiable information. It can be entirely automatic and zero configuration. The only additional service required is something like a STUN server so the public IP can be discovered and updated over time.

yosamino3mo ago

I am reading your comment and find the proposition interesting, but I can't quite understand the part about the STUN server - doesn't that "just" help me find my own public IP address ? Do you mean that I could then give out this address to others (instead of them having to do a DNS lookup) so they can connect to the webserver ?

lelanthran3mo ago

> I am reading your comment and find the proposition interesting, but I can't quite understand the part about the STUN server - doesn't that "just" help me find my own public IP address ?

He is hosting his domain on a machine behind a reverse proxy over which he has no control (common enough); in this case the server will not know its own public IP as all resolves to (for example) `www.mydomain.com` will return the address of the proxy. To get the public IP he uses a STUN (or similar) public-facing service.

Not quite sure why he needs the public IP, though: from what I remember, the certs include the domain, not the IP.

bob10293mo ago

You can issue a TLS certificate with a SAN that is a literal IPv4 address. You do not need a domain to serve TLS to clients. It definitely helps with the UX, but it's not mandatory for the browsers and other web tech to function.

1 more reply

bob10293mo ago

Yes the point is to simply discover the public ip you present as on the internet. It's not a particularly hard problem to solve, but you often can't know your public interface just from inside the machine. Being behind a NAT with TCP 80/443 forwarded to the actual web server is an example.

ivanr3mo ago· 2 in thread

If you like this sort of thing, perhaps you'll enjoy my SSL/TLS and PKI history where I track a variety of ecosystem events starting with the creation of SSL in 1994: https://www.feistyduck.com/ssl-tls-and-pki-history/

pseudohadamard3mo ago

  TLS is not The Web

Does the TLS working group know that? Pretty much all their design work apart from one guy representing email use via Postfix and a few guys working on a perpetual-motion-machine profile for telcos assumes the only possible use for TLS is the web.

ivanr3mo ago

Maybe you're onto something, but in what way do you think that TLS is not serving other protocols?

Personally, I think we have a bigger problem on the PKI side, where Web PKI is very strong, but Internet PKI has been neglected. The recent move to remove client authentication is a good example.

1 more reply

Uptrenda3mo ago

I feel this is a perfect complement to the current 1. link: https://satproto.org/ which implements its own CA system with different trade-offs.

aragilarOP3mo ago

It's worth noting that while splitting the PKI hierarchies is a good thing, the CABF does provide rules S/MIME (email signing) and Code Signing. Also, "WebPKI" never actually appears in the BR documents from what I can see, nor do they require the use of HTTP (hence why you can use these for SMTP).

j / k navigate · click thread line to collapse

23 comments

17 comments · 5 top-level

ocdtrekkie3mo ago· 6 in thread

PKI as it stands is only a few steps from Google just deciding everyone must have a short-lived certificate from Google to be on the web.

nickf3mo ago

While I sort-of see what you're trying to say, if you knew the groups and teams involved - you'd know there was no favouritism and a strong degree of separation between CA and root programs.

ocdtrekkie3mo ago

I know the people involved enough to be very concerned that the CA/B decides whether something can exist on the web.

alwillis3mo ago

The CA/Browser Forum, not Google, decides the length of time certificates are valid for.

If you don’t like a particular CA’s policies, you can choose a different one.

ocdtrekkie3mo ago

nickf3mo ago

The reduction of TLS cert lifetime to a max of 398 days was an Apple policy.

alwillis3mo ago

> browsers can and do set their own rules.

> The reduction of TLS cert lifetime to a max of 398 days was an Apple policy.

This effectively made the 398-day limit a de facto standard — no CA would issue longer certificates if they’d be rejected by Apple devices [2].

    |Date             |Max Certificate Validity|SAN Data Reuse Period|
    |-----------------|------------------------|---------------------|
    |Before March 2026|398 days (current)      |398 days             |
    |March 15, 2026   |200 days                |200 days             |
    |March 15, 2027   |100 days                |100 days             |
    |March 15, 2028   |47 days                 |10 days              |
    |March 15, 2029   |47 days                 |10 days (final)      |

[1]: https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-sch...

[2]: https://www.entrust.com/blog/2020/02/apple-announces-398-day...

bob10293mo ago· 4 in thread

yosamino3mo ago

lelanthran3mo ago

> I am reading your comment and find the proposition interesting, but I can't quite understand the part about the STUN server - doesn't that "just" help me find my own public IP address ?

Not quite sure why he needs the public IP, though: from what I remember, the certs include the domain, not the IP.

bob10293mo ago

1 more reply

bob10293mo ago

ivanr3mo ago· 2 in thread

pseudohadamard3mo ago

  TLS is not The Web

ivanr3mo ago

Maybe you're onto something, but in what way do you think that TLS is not serving other protocols?

Personally, I think we have a bigger problem on the PKI side, where Web PKI is very strong, but Internet PKI has been neglected. The recent move to remove client authentication is a good example.

1 more reply

Uptrenda3mo ago

I feel this is a perfect complement to the current 1. link: https://satproto.org/ which implements its own CA system with different trade-offs.

aragilarOP3mo ago

j / k navigate · click thread line to collapse