Why a PKI is barely trustworthy
- End-point trusts *any* certificate from *any* CA configured
- fake certificates issues by another CA are a common thread
- measure "certificate pinning" only standardized for HTTP (HPKP, is now deprecated)
- Centralized system
- high demand for confidentiality of CA private keys
- measure "intermediate certificates" makes system even more complex and more systems demanding high confidentiality
- Key Revocation cumbersome
- based on centralized "black list"
- Certificate Revocation Lists (CRLs) growing *huge* quickly and need to be distributed to each end-point
- OCSP (Online Certificate Status Protocol) requires online connection and additional services to be available 24/7
- OSCP is a thread to privacy
- Key renewal does not revoke old key
- if the old key is still valid (with in its life-time) and not on the CRL, it can still be used
- Complex to plan, deploy and run
- No opportunistic use
- Can either be enforced or not used at all.
- Has no notion of "I stared communication encrypted, so I no longer accept unencrypted messages"
- No TOFU (beside now-deprecated HPKP)
