EFF Asks Verizon Whether Etisalat Deserves CA Trust
Peter Eckersley writes "Today EFF published an open letter to Verizon, calling for investigation of a trusted SSL Certificate Authority. Etisalat is a majority state-owned telecom of the United Arab Emirates with operations throughout the Middle East. You may remember that last year Etisalat installed malware on its subscribers' BlackBerry phones, and was recently pivotal in the UAE's threat to disconnect BlackBerry devices altogether if Research In Motion did not provide a backdoor for BES servers' crypto. This company, which appears to be institutionally hostile to the existence and use of secure cryptosystems, is in possession of a master certificate for HTTPS, encrypted POP and IMAP, and other SSL-based security systems. Etisalat's CA certificate is not trusted directly by Mozilla and Microsoft, but was instead delegated as an Intermediate CA by Verizon. As a result, we are asking Verizon to investigate whether it is appropriate for Etisalat to continue holding this certificate, and to consider revoking it."
I'm totally confused by this request from the EFF. Authorities exist to assure identity, a root authorities job is to assure identities of the people it hands out certificates to, is the EFF suggesting that Etisalat isn't who they claim to be?
It isn't up to Verizon to police the internet, it is up to Verizon to check that Etisalat is who they claim to be, and then grant them a certificate, or in this case grant them the ability to generate their own child certificates.
If people distrust Etisalat generated key sets then take your business to a root authority which you do trust. You also have the option of revoking their certificates on your machine or in your browser. A better person to send this letter to would be for example MIcrosoft, Red Hat, Mozilla, and anyone else trusting Etisalat RA.