[Ach] Certificate Authorities and Self-signed crap

Aaron Zauner azet at azet.org
Sat Dec 14 18:37:45 CET 2013


Hi Ulrich,


On 14 Dec 2013, at 18:21, Ulrich Poeschl <ulrich.poeschl at bmlvs.gv.at> wrote:

> 
> I strongly disagree with the topic here. self-signed is the ONLY thing you can ultimately trust!

You seem to be missing the point..

>> Yes. But since thats a paragraph on PKI we should mention that offical CA certs will be needed for external facing services like https or email.
> 
> what are "official CA certs"????
> 
> ca-certs that are loaded/pinned inside $random_browser and $random_OS?

Yes. And of course, we’d have to paraphrase that. The problem still being: If you provide a (any) service that is used outside of your company/department/trusted circle - you’ll have to deal with some CA that has root certificates stored in client software (think browsers, java,..). This is a real issue, since - for example - websites that serve large amounts of traffic cannot simply chose to deploy their own CA. They’ll end up with a certificate warning page for every user that tries to get to their website for the first time (even if they distribute their Root-CA afterwards). Which will scare off a lot of users.

> please do not mention "official CAs" in the paper. this term is confusing, $$$-driven and communicates a wrong sense of "security", IMHO.

I totally agree.

> we should - in fact - extend the existing paragraph, in the existing line of argument... in terms of "how to use self-signed CAs and certs with your customers" (fingerprint-checking, best practices for running your own CA,…)

That is a great idea. Would you be willing to write a paragraph or two on the topic?


BTW: I’ve seen endeavours to build free, non-commercial CA by different parties over the last 10-15 years, the most prominent being the CCC. It simply did not work - It works for people in the security/admin area, but not for weekend users that just want to read their newspaper or browse through webmail. Ultimately thats why all of them failed, they did not get shipped per default by client software, and users did not seem to install the certificate on their own.

Aaron



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131214/2160997e/attachment.sig>


More information about the Ach mailing list