[Ach] Certificate Authorities and Self-signed crap

Aaron Zauner azet at azet.org
Thu Dec 12 19:48:08 CET 2013


I’ve added a comment paragraph a week ago on self-signed CAs, we should discuss this:

This section deals with settings related to trusting CAs. However, our main
recommendations for PKIs is: if you are able to run your own PKI and disable
any other CA, do so. This makes sense most in environments where any machine-to-machine
communication system compatibility with external entities is not an issue.
%% azet:
%% this needs discussion! self-signed certificates simply do not work in practices
%% for real-world scenarios - i.e. websites that actually serve a lot of people

Now I’m the first to point out that CAs are basically snake-oil and do nothing but print money *. But: as the state of the internet is, we need them. We’re recommending stuff to operations people, not your casual hacker running his DEC Alpha with strong crypto to serve his friends. Because of this, we should clearly state that self-signed certificates cause a lot of trouble and that there is currently no alternative for companies and operations people serving serious content to a lot of people but to pay those CAs. 


* Actually, there used to be CAs that took their job very serious, and you had to show up and provide ID as well as a lot of other stuff. Some (like government CAs) still do that. This has become a problem for big CAs that accept requests from people overseas. So they started to do this via telephone (well,.. like that couldn’t be faked). Nowadays they do not see this as an important issue anymore since manual checking just does not scale. And things that do not scale well won’t make as much money. So if you are a company like verisign, you just don’t give a shit. because you buy up all the other small CAs anyways. Which actually has become a real problem - this industry is in fact a monopoly and getting your small CA into clients has just become impossible. There are alternatives like moxies convergence project (http://convergence.io/) but people do not use them

[Sorry for being so frank - but CAs and x509 just annoy me]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131212/98c473b7/attachment.sig>

More information about the Ach mailing list