handle ambiguous political-exposure cases

[JamesTheAwesomeDude]

e.g. DigiCert's "Baltimore CyberTrust Root"

16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB

The address listed in its Certification Practice Statement (linked here) is

Attn: Legal Counsel
DigiCert Policy AuthoritySuite 500
2801 N. Thanksgiving Way
Lehi, UT 84043 USA

However, it self-identifies (in its Subject) as being based in Ireland.

According to the timeline Wikipedia's editors have put together, it is currently owned by US-based DigiCert, and was only based in Ireland between

• 2000 (when it was purchased by Ireland-based Baltimore Technologies),
  and
• 2003 (when it was purchased by US-based BeTrusted Holdings, Inc.).

It's unclear why a root which has existed for at least twenty-two years would have in it listed a Country which was only relevant for a measly three of these (C=IE). [EDIT: the reason for this is it's coming from Mozilla's certdata.txt, line 730, which states that because it's included in the Subject, which is part of the input to the fingerprint]

• Should we try to parse this info out of the root cert anyway? [no]
• Should we [continue to] rely on Force.com's CCADB mirror as our source-of-truth? [yes]
• Should we actually engage in something WoT-spectrum radical? [perhaps]

(I privilege that particular site's database only because it's what the official Mozilla Wiki links to. I don't know what "reducing the amount of trusted agents" would look like here.)

[JamesTheAwesomeDude]

Ahaha, what a bag of fun

07:ED:BD:82:4A:49:88:CF:EF:42:15:DA:20:D4:8C:2B:41:D7:15:29:D7:C9:00:F5:70:92:6F:27:7C:C2:30:C5

• CAcert, Inc. is (allegedly) registered in New South Wales 🇦🇺
• Their PKI server is physically hosted in Holland 🇳🇱
• It appears that the majority (perhaps all?) of the CAcert's technicians authorized to physically access this server are of German nationality 🇩🇪

[JamesTheAwesomeDude]

what a bag of fun

Have e-mailed CAcert about this, will be interested to see if they respond

[JamesTheAwesomeDude]

CACert's ambiguity (which we can, admittedly, put on the back burner since they aren't trusted by browser vendors and are almost completely unused on the internet) really serves to highlight the fact that we don't have a well-defined answer to the question “What does it even mean for a CA to be "in" a country?”

I stand by the telos of "greatest political exposure", but how do you define that… (I'm sure the USG, Big Red, or Putin could coerce random third-world cert issuers to do anything they wanted, but I still think labeling them by their own country is correct. Hmm…)

[JamesTheAwesomeDude]

Have e-mailed CAcert about this

Ah, forgot to include the e-mail

From: James Edington
To: CAcert
Date: Mar 12, 2021, 4:57 PM CST

Hello,

I'm currently writing a browser extension to give users more awareness and control of the trust stack behind their TLS connections. I'd like to include CACert as a supported certificate authority.

However, one of the core features of this extension will be to list at-a-glance the country of greatest political exposure for each CA. This would cover, essentially, the question: "Which country's intelligence community would have the easiest time coercing this CA's administrators to issue it fake certificates for intercepting communications of political dissidents?"

Now, most certificate authorities are quite regional — in fact, just 28 don't operate directly out of a ccTLD, and even those are all (mostly-)unitarily established in a single country.

But I'm having a hard time answering this question for CACert. Am I understanding it correctly: that your corporate registration is in Australia, the PKI server containing the keys physically resides in Holland, and a majority of the staff with physical access to it are of German nationality?

In your opinion, which of these 3 countries would have the easiest time coercing your mal-issuance of a certificate for its own surveillance purposes? How much influence could, say, the Australian government exert over your goings-on, if it decided it were in the interest of national security?

Thank you,

James Edington

[JamesTheAwesomeDude]

Got a very interesting (and cordial!) reply:

From: Brian McCullough
To: James Edington
Date: May 25, 2021, 12:59 UTC

Greetings,

… am I understanding it correctly: that your corporate registration is in Australia, the PKI server containing the keys physically resides in Holland, and a majority of the staff with physical access to it are of German nationality?

Answering as the current President of CAcert, Inc., that information is generally correct, although a little out of date.

We have just recently moved our "base of record" from Australia to Switzerland, and are in the process of announcing this to our members.

The core team responsible for the actual operation and maintenance is generally German, as you state, although there are a couple of members of other nationalities.

On the Board of Directors are, at present, two Canadians, of which I am one, an Australian, a Frenchman living and working in Poland, a citizen of Switzerland, and a couple of other members.

… In your opinion, which of these 3 countries would have the easiest time coercing your mal-issuance of a certificate for its own surveillance purposes?

That question may require more internal discussion, but, at present, I would not expect that the Australian government would have any interest or capability in influencing our activities.

While the data centre is in the Netherlands, I don't expect that there would be much that they could do to us directly, although the data centre might possibly be a target.

Finally, as I said, I would want to discuss this with various Board Members and Team Leads, but, because of our various policies governing our operations and behaviour, including the requirement for multiple people being required for certain critical operations, I can not see a lot of influence being exerted.

Thank you,
Brian McCullough
President, CAcert, Inc.

I hope that they do end up publishing whatever reports their internal commissions into that question reveal; I'm sure that such would be extremely relevant to this project or its successor.