Does anyone have a listing of where ACME Root CAs keep their keys and intermediates. I am looking to compile a shortlist of CAs that do not have Roots or Intermediates on US soil.
4 Likes
I feel like it's probably mentioned in the various CA audit reports, which are probably public, but I'm not aware of anyone who has complied and summarized them. Is there a way to get audit reports out of Mozilla or CCADB or something? 
2 Likes
Good idea. I wonder if EFF might have some info on their legal side. I have some friends there.
1 Like
Of course, if you're paranoid enough, you might be concerned there's nothing in ACME (or elsewhere I suspect) stopping a CA from issuing your new cert from a fresh new intermediate stored in a datacenter in a new location/jurisdiction (or the CA from copying their existing key material to a datacenter in a new location). I'm guessing that a CA doing so would show up in an audit report eventually, but that might be with a significant delay from when you got your cert signed.
1 Like
In the case of BuyPass I don't think that'll pass, because their CPS (https://repository.buypassca.com/cpsTLS-v1-0.pdf) states the following:
The laws of the country of Norway governs the construction, validity, interpretation, enforceability and performance of this Certification Practice Statement and all related Subscriber Agreements.
Thus if they'd suddenly start issuing certs outside of the Norway jurisdiction, those certs wouldn't comply with their own CPS and thus were not issued according to the BR and thus should be revoked.
Unless issuing certs from somewhere else entirely would still count as inside the jurisdiction of the original CA?
Yeah, I'm not sure "jurisdiction" implies "must store key material only there" (Even if their contacts require being interpreted under Norway law, and even if that means their main servers are all in that country, I don't think it forbids them from having backup copies of their keys in other countries). In any event, even if one was happily getting certificates from them, I think they could update their CPS at any time without further notice, which would apply to one's next certificate that one got a millisecond later.
1 Like
True, but the latter also counts for any listing of the location of root certs 
Lists are prone to get outdated 
Legal repos can be scraped periodically in theory for updates 
Yeah, that's why I'm assuming that the audit reports would be the most authoritative, and hopefully say where key material is actually stored. Since that's what was requested originally. Though "has key material on US soil" and "can be interfered with by the US government" might not quite be the same thing.
1 Like
While there are probably lots of CAs that offer ACME these days, there are only a handful openly available ones. Checking them isn't that difficult, but checking all the CAs - no thanks
- ISRG (Let's Encrypt)'s latest audit report lists DC locations in the USA
- BuyPass latest audit report lists locations in Norway
- ZeroSSL is a Sectigo Reseller. Sectigo's latest audit report lists DC locations in the USA, United Kingdom, The Netherlands plus offices in India, Romania, Canada and France
- SSL.com's latest audit report lists locations in the USA
- Google Trust Services latest audit report lists locations in USA, Belgium and Switzerland.
5 Likes
Speaking as someone who served on the C-Level and Advisory Boards of large publishers, and has had colleagues and friends targeted by members of the current administration in the past: events of the past week, in which government and quasi-government personnel abruptly took over multiple agencies and computer systems without the proper legal authority (and potentially adequate security practices), has completely eroded my trust in any roots/intermediates/data on US soil.
Due to gag orders and the nature of National Security Letters and similar legal tools, it can be impossible to know when/if/how a USA Based CA was compromised or compelled into action - LetsEncrypt publishes some of this in aggregate, but they can be silenced. Previously, we could expect these actions to have happened after court approval and with a proper legal defense to challenge it; this is no longer the case.
For a foreign based CA, however, the USA would need to use a formal legal processes to compel those actions through treaty recognition; they can't just march into a data center and instantly seize control. That brings us back to the previous status-quo of there being some sort of oversight and legal guardrails involved.
3 Likes
Yes, all WebTrust audit reports must state the approximate location of the key material they are auditing, and all WebTrust audit reports are accessible via CCADB reports. But it'll take a lot of processing to extract that information from all those PDFs, and I don't personally know what the situation is for ETSI audits.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.