In 2011 Moxie Marlinspike gave his SSL And The Future Of Authenticity talk at DEFCON 19 and I was fortunate enough to be there in the audience. He spoke of the current state of trust in Certificate Authorities (CA) and the associated problems with it. His talk concluded by introducing Convergence, an alternative way to verify trust for SSL certificates without a CA. In listening to him talk I become enamored by the topic and wanted to learn a whole lot more after DEFCON. Shortly after this I began toying with the idea of becoming my own Certificate Authority and wanted to learn more about the vetting process associated with CAs.

In my naiveness I assumed the process would be easy and that I would be able to usurp various root trust stores with very little vetting. Thankfully I was proven wrong. In my journey I discovered that the only thing in my way from being added to various trust stores was a third party audit which costs a lot of money. Darn!

With the new found knowledge that it was in fact kind of hard to become a CA, I decided to change my focus to learn more about the vetting process and share the knowledge of what I’ve learned there. This culminated into a talk that I gave at Black Lodge Research. I’d recommend that you my dear reader review the slides and feel free to reach out to me if you have any questions. I purposefully left out much context from the slides, but I’d be willing to share context for each slide if there is interest in it.

Slides: Certificate Authorities, the shady world of trust (PDF)

If you see any errors in my slides, please let me know and I’ll be sure to make edits where appropriate.