[Ach] Certificate Authorities and Self-signed crap

[L. Aaron Kaplan]

On Dec 12, 2013, at 7:48 PM, Aaron Zauner <azet at azet.org> wrote:

> Hi,
> 
> I’ve added a comment paragraph a week ago on self-signed CAs, we should discuss this:
> 
> “””
> This section deals with settings related to trusting CAs. However, our main
> recommendations for PKIs is: if you are able to run your own PKI and disable
> any other CA, do so. This makes sense most in environments where any machine-to-machine
> communication system compatibility with external entities is not an issue.
> %% azet:
> %% this needs discussion! self-signed certificates simply do not work in practices
> %% for real-world scenarios - i.e. websites that actually serve a lot of people
> “””

Please read the sentence again. It clearly says that if you can run your own CA (and no one else depends on it) then it is fine to run your own CA.
Example: internal OpenVPN with your own (well-protected) easy-RSA CA.
I see no problem with that.

> 
> Now I’m the first to point out that CAs are basically snake-oil and do nothing but print money *. But: as the state of the internet is, we need them. We’re recommending stuff to operations people, not your casual hacker running his DEC Alpha with strong crypto to serve his friends. Because of this, we should clearly state that self-signed certificates cause a lot of trouble
Depends on the context. 
Sometimes running an OpenVPN with certificates issued by an official CA is asking for more trouble than running your own CA.



--- 
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131212/8d3b1b5b/attachment.sig>