U.S. Congress proposes reining in power of government-owned CAs
Wed 10 Jun 2015
Four members of a U.S. Congress committee are looking into the feasibility of restricting the power of government-owned certificate authorities (CAs).
The members of the House Committee on Energy and Commerce sent a letter yesterday addressed to Apple CEO Tim Cook asking whether it would perhaps be an effective measure to rein in national governments’ powers to issue certificates for services.
The effectiveness of certificate authority frameworks is widely contested, even beyond politics, and many cases have cropped up over the past few years which have highlighted their flaws. There have been many incidents involving cybercriminals breaching CAs’ systems in order to issue fake certificates, and other scenarios where CAs have accidentally issued certificates.
The letter expresses that CAs owned by national governments potentially pose serious threats to cybersecurity because of their status and authority.
“Our concern with a CA’s unfettered authority to issue certificates is heightened when the CA is owned and operated by a government. Because digital certificates are used to ensure the security and confidentiality of private communications like email and social media, such services can be targets for actors who wish to inhibit political freedoms such as free expression,” the letter reads.
It continues: “A government-owned CA that is accepted by the browsers may issue digital certificates for email providers or social media sites in order to seek out political dissent. Although the intent behind these certificates would be fraudulent, they would appear valid to a user’s browser. Exacerbating this issue, the traditional control put in place by the browsers to discourage this kind of malfeasance–the removal of the CA’s signature from the root store–would not be an effective deterrent to government CAs.”
The committee proposes restricting these government bodies to issuing certificates solely in their own country-code TLD domains.
The group poses the following questions to Cook:
“Would restricting CAs run by governments to issuing certificates for their own properties within their own ccTLDs improve the security and stability of the certificate ecosystem?
“Is it currently technically feasible to restrict government CAs to their own properties in their respective ccTLDs?
“Are there any potential negative effects to such a restriction?”
CAs are typically privately-operated groups, but in some countries, where these proposals would most apply, certificate systems are completely controlled by national government.