[Ach] Certificate Authorities and Self-signed crap

Ulrich Poeschl ulrich.poeschl at bmlvs.gv.at
Sat Dec 14 20:07:26 CET 2013

>> what are "official CA certs"????
>> ca-certs that are loaded/pinned inside $random_browser and $random_OS?
> Yes. And of course, we'd have to paraphrase that. The problem still  
> being: If you provide a (any) service that is used outside of your  
> company/department/trusted circle - you'll have to deal with some CA  
> that has root certificates stored in client software (think  
> browsers, java,..). This is a real issue, since - for example -  
> websites that serve large amounts of traffic cannot simply chose to  
> deploy their own CA.

In terms of security, why not? Because the marketing-deparment will  
complain. But hey. I don't care about them. :)

> They'll end up with a certificate warning page for every user that  
> tries to get to their website for the first time (even if they  
> distribute their Root-CA afterwards). Which will scare off a lot of  
> users.

of course I get what you mean. but you are talking about "user  
friendiness" and "frictionless" interoperability here, not about  
"better crypto".

> That is a great idea. Would you be willing to write a paragraph or  
> two on the topic?

I just started ;-)

> BTW: I've seen endeavours to build free, non-commercial CA by  
> different parties over the last 10-15 years, the most prominent  
> being the CCC. It simply did not work - It works for people in the  
> security/admin area, but not for weekend users that just want to  
> read their newspaper or browse through webmail. Ultimately thats why  
> all of them failed, they did not get shipped per default by client  
> software, and users did not seem to install the certificate on their  
> own.

if you are a corporation that is serious about the protection of the  
data transferred you _have to_ "force" your users to

- manually install your selfsigned CA-cert
- verify the fingerprint

before they start working with you.

startssl is not "better crypto". but hey, it's in my browser.

of course you can't get weekend-users to do that, but weekend-users  
are also not the ones reading this paper and learning about "NSA-proof  
cipher suites".

see abstract: "This guide arose out of the need for system administrators ..."

hm. I will write something and commit it on monday.



More information about the Ach mailing list