Congress Looking Into Restricting Power of Government-Owned CAs

UPDATE–As the debate over potential government interference with encryption technologies rages in countries around the world, Congress is now going down a different path, asking technology companies whether it’s feasible and potentially effective for certificate authorities to restricting the way that government-owned CAs can issue certificates.

Members of the House Committee on Energy and Commerce on Tuesday sent letters to the CEOs of Apple, Google, Microsoft, and Mozilla expressing concern that CAs owned by national governments have the power to issue certificates for any service they want and impersonate those services to users. This is one of the fundamental problems with the certificate authority system, and not just as it applies to governments. There have been numerous incidents in the last few years involving attackers compromising CAs in order to issue fraudulent certificates, and others in which CAs have mistakenly issued certificates for high-value sites, leading to major problems.

In the letter, four members of the Energy and Commerce Committee say that government-owned CAs pose a particularly serious potential threat to Internet security due to their position and authority.

“Our concern with a CA’s unfettered authority to issue certificates is heightened when the CA is owned and operated by a government. Because digital certificates are used to ensure the security and confidentiality of private communications like email and social media, such services can be targets for actors who who to inhibit political freedoms such as free expression,” the letter says.

“A government-owned CA that is accepted by the browsers may issue digital certificates for email providers or social media sites in order to seek out political dissent. Although the intent behind these certificates would be fraudulent, they would appear valid to a user’s browser. Exacerbating this issue, the traditional control put in place by the browsers to discourage this kind of malfeasance–the removal of the CA’s signature from the root store–would not be an effective deterrent to government CAs.”

To address this problem, the committee members suggest that it might be a good idea to restrict government-owned CAs to issuing certificates only for domains in their own country-code TLD. In the letter, the committee members ask the executives to answer several questions about this plan, including:

  • Would restricting CAs run by governments to issuing certificates for their own properties within their own ccTLDs improve the security and stability of the certificate ecosystem?
  • Is it currently technically feasible to restrict government CAs to their own properties in their respective ccTLDs?
  • Are there any potential negative effects to such a restriction?

While there are a number of government-owned CAs around the world, most certificate authorities are privately owned and operated. In some countries the CA infrastructure is completely controlled by the government, while in others there are CAs that are run as a kind of public-private concern.

This story was updated on June 10 to reflect the fact that the committee also sent the letters to Google, Microsoft, and Mozilla.

Suggested articles