[Ach] Certificate Authorities and Self-signed crap

Rainer Hoerbe rainer at hoerbe.at
Mon Dec 16 09:44:31 CET 2013

Am 14.12.2013 um 23:54 schrieb Aaron Zauner <azet at azet.org>:

> Actually I’m not sure that recommending self-signed CAs is in fact “better crypto”. And this statement is probably going to cause a lot of discussion, so let me explain; x509 was desgined to be a trust chain, not a compartmentalized system. Needless to say that a telephony protocol was the wrong choice for trust chains in a global network of autonomous systems interacting with each other. If a root CA get compromised the whole system is fucked. Big commercial CAs do not always employ the best security as recent history has shown. But what I’ve seen from people running their own CA is far worse in 80% of the cases. Then there is the obvious issue with how to trust a CA. Do I just blindly trust it as a user? And if I do so what if that CA is signing malicious third-party website certificates? That is exactly how DPI solutions are implemented in large companies throughout the united states and in parts europe. If everbody would employ self-signed CAs and people would accordingly install them and check fingerprints, it would also be a new angle of security attacks: You now have thousands of CAs you can compromise, most won’t conform with standards (just as commercial CAs do not *) and thus one can simply compromise a single CA and sign away.
> I think the security community is slowly reaching consensus on that topic: x509 will need to be replaced by a better solution sooner or later. Although my guess is that it’s going to take quite some time.

The decision whether to use a self-signed CA or not is context dependent. To serve a public site with no control over end-user devices one obviously has to rely on vendor-supplied trust roots. For areas where a limited number of participants can define and exercise a policy it is best to use a dedicated self-signed CA under the stakeholder's control. If there are no skilled resources to operate it then a commercial custom CA (root, no sub-CAs available for $$) might be a viable option.
For certain types of infrastructure that do not require to manage browsers or end-user devices, using standard browser/OS/java PKI would be an unnecessary downgrade to almost zero security.

- Rainer Hörbe

More information about the Ach mailing list