Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
throwaway2037 3 months ago

This is a great question. If we don't have CAs, how do we know if it OK to trust a cert?

Are there any reasonable alternatives to CAs in a modern world? I have never heard any good proposals.

3 months ago | parent | next [-]
[deleted]
kbolino 3 months ago | parent | prev [-]

There are some alternatives.

Certificate pinning is probably the most widely known way to get a certificate out there without relying on live PKI. However, certificate pinning just shifts the burden of trust from runtime to install time, and puts an expiration date on every build of the program. It also doesn't work for any software that is meant to access more than a small handful of pre-determined sites.

Web-of-trust is a theoretical possibility, and is used for PGP-signed e-mail, but it's also a total mess that doesn't scale. Heck, the best way to check the PGP keys for a lot of signed mail is to go to an HTTPS website and thus rely on the CAs.

DNSSEC could be the basis for a CA-free world, but it hasn't achieved wide use. Also, if used in this way, it would just shift the burden of trust from CAs to DNS operators, and I'm not sure people really like those much better.

hackcoughgasp 2 months ago | parent [-]

Certificate pinning is suicide in an environment where certificates expire in max 47 days. You'll have to rebuild and push your app at least that often and probably sync your devops with your certificate management.

kbolino 2 months ago | parent [-]

Only if you pin a CA/Browser Forum-approved certificate. But you don't have to do that.

You can instead pin a self-signed or private CA-signed certificate, and then it can have the maximum lifetime you're comfortable with and that the software supports. A related option is to ship your app with a copy of your private CA certificate(s) and configure the HTTPS client to trust those in addition to, or instead of, the system-provided CAs.

I'm not sure how viable these approaches are on more locked-down platforms (like smartphones) and, even if they are viable today, whether they will remain viable in the future. It's also only good for full apps; anything that uses the system browser has to stick with the system CAs.