[Ach] Certificate Authorities and Self-signed crap
Ulrich Poeschl
ulrich.poeschl at bmlvs.gv.at
Sat Dec 14 20:07:26 CET 2013
>> what are "official CA certs"????
>>
>> ca-certs that are loaded/pinned inside $random_browser and $random_OS?
>
> Yes. And of course, we'd have to paraphrase that. The problem still
> being: If you provide a (any) service that is used outside of your
> company/department/trusted circle - you'll have to deal with some CA
> that has root certificates stored in client software (think
> browsers, java,..). This is a real issue, since - for example -
> websites that serve large amounts of traffic cannot simply chose to
> deploy their own CA.
In terms of security, why not? Because the marketing-deparment will
complain. But hey. I don't care about them. :)
> They'll end up with a certificate warning page for every user that
> tries to get to their website for the first time (even if they
> distribute their Root-CA afterwards). Which will scare off a lot of
> users.
of course I get what you mean. but you are talking about "user
friendiness" and "frictionless" interoperability here, not about
"better crypto".
> That is a great idea. Would you be willing to write a paragraph or
> two on the topic?
I just started ;-)
> BTW: I've seen endeavours to build free, non-commercial CA by
> different parties over the last 10-15 years, the most prominent
> being the CCC. It simply did not work - It works for people in the
> security/admin area, but not for weekend users that just want to
> read their newspaper or browse through webmail. Ultimately thats why
> all of them failed, they did not get shipped per default by client
> software, and users did not seem to install the certificate on their
> own.
if you are a corporation that is serious about the protection of the
data transferred you _have to_ "force" your users to
- manually install your selfsigned CA-cert
- verify the fingerprint
before they start working with you.
startssl is not "better crypto". but hey, it's in my browser.
of course you can't get weekend-users to do that, but weekend-users
are also not the ones reading this paper and learning about "NSA-proof
cipher suites".
see abstract: "This guide arose out of the need for system administrators ..."
hm. I will write something and commit it on monday.
cheers,
Ulrich
More information about the Ach
mailing list