Is Google less trustworthy than Go Daddy? Or CNNIC? Or the Hong Kong Post Office? Yes the CA system is broken but framing that as an anti-Google argument seems silly.

Google isn't less trustworthy, but it is far closer to being a monopoly. I would like to bias towards a more decentralized infrastructure.

Especially since Google is US based.

I agree in principle, but currently every CA is a single point of failure for the entire Internet, so adding more CAs makes things worse rather than better. We need something like DNSSEC/DANE to enable actual decentralization (where the Hong Kong post office could only sign Hong Kong domain names and so on).

Why should the Hong Kong post office only be able to sign HK domain names? Are businesses in Hong Kong not allowed .com addresses?

I would like to see a single responsible CA for each domain (which are allowed to hierarchically delegate). Country-specific agencies should only be able to sign domains within their country, and .com addresses (which should be reserved for genuinely international sites, though that's a separate argument) should be handled by an international CA that can a) apply some consistent international standard for how domain owners are identified etc. and b) be specifically held accountable for dodgy .com certificates

So... one CA for each domain, leaving no competition? And which unwanted domain will LetsEncrypt be left with, then?

Back in the real world, we have multiple CAs who have accountability for lots of overlapping domains. You can wish for some other non-existent situation, everyone else has to make the best of the situation as it stands.

> So... one CA for each domain, leaving no competition? And which unwanted domain will LetsEncrypt be left with, then?

Domains can compete with each other, particularly given the big opening up of TLDs. We could have actual competition between CAs at the end-user-facing level because it'd be visible to the user who the CA was (the CA and the registry ought to be merged - at the moment they're two parallel sets of infrastructure for doing the same thing), and if particular domains/CAs had poor-quality identity checking users might actually start to notice. As opposed to today, where the only one who knows which CA a domain might be using is the domain owner, and so the incentive largely is for the CA to do as little checking as possible.

> Back in the real world, we have multiple CAs who have accountability for lots of overlapping domains. You can wish for some other non-existent situation, everyone else has to make the best of the situation as it stands.

There's a migration path. Enable DNSSEC/DANE with all CAs authorized for all domains initially, then allow countries / TLD owners to start restricting who can sign certificates for their domains. If Hong Kong moved to requiring only Hong Kong Post Office to sign their domains, we could see how well or badly that model works - if it reduces phishing / spying then other countries will follow the same, if it stifles innovative internet businesses then they'll move away from that. But 150+ entities all having the power to own every site on the internet can't possibly be the right model.

What do you mean by 'monopoly'?

Simply mean used by the majority of the users?

So any sufficiently good product is monopoly, assuming that they are goodness is beyond the threshold to be favored by the majority of customers.

What do you want to say about Google's monopoly? Are Google going to hurt others and throttle effective competition? Was there any competition in CA market at all?

Regardless of your personal opinion, the law and the historical record state otherwise.

To answer your later questions:

Too many essential services under one umbrella.

Not quite.

It's competition stifling.

Yes.

Yes.

In a decentralized model, how do you know who to trust? How do you get google's public key? How do you know that public key can be trusted?

FWIW, I think Google is less trustworthy than the HK Post Office.

Why?

I didn't make a claim if they were trustworthy. Google has leveraged their properties to force people to trust them with the rest of the internet, regardless of if you think they are trustworthy or not.

"Google has leveraged their properties to force people to trust them with the rest of the internet"

Google saw the dismal situation of Internet CA, and forces internet to move to a better situation. Forcing people behave better is a good thing, IMHO. If you think other way around, there will not be a common ground for discussion between you and me.

Google has had an intermediate CA for many years (GIAG2) so, if you don't trust Google, this doesn't make things any worse for you.

It basically Google scratching their own itch and their PR people having to polish this stuff by inserting expressions like "more secure" and "moving forward".

It's disgusting but pretty much corporate life 101.

You may want to look into certificate transparency and who's supporting it.

Actually it does address your point about trust; CT severely limits the amount of trust we need to place to any single participating CA, including now Google.

I think it's related? Since certificate transparency is a way of watching what's going on with all certificate providers (or at least the ones that use it), an organization that thinks Google's root is up to no good has a way of checking.

It's after the fact, to be sure, but it matters for reputation.

Google has announced an effort to move all CAs to Certificate Transparency, here is a Threatpost piece on the topic - https://threatpost.com/google-to-make-certificate-transparen....

They will already log their public certificates to CT and this will continue given their push for CT.