[Ach] StartSSL for Business Sysadmins

Tobias Dussa (SCC) tobias.dussa at kit.edu
Sun Jan 12 20:21:59 CET 2014


On Sun, Jan 12, 2014 at 09:17:56PM +0300, ianG wrote:
> PKI is a nightmare and it is designed to be so.  There is no way to
> make it Better, only more compliant with someone's guide or other.

I beg to differ, but that doesn't really matter.

What I do think is important is that we really shouldn't ignore the fact that
X.509 is not an option in many users' and admins' lives, and that in many
situations it actually is the best available way to meet security goals at a
reasonable cost.

We should instead help people to use it in a better way.  Instead of bitching
that Microsoft or Debian or Mozilla or whoever includes a truckload of CAs that
are trusted by default, we should tell people about it and what to do about it.
Instead of declaring that we won't cover CAs at all because there are
commercial CAs with questionable CP/CPSs out there we should tell people about
the alternatives and what to look for.  Instead of ranting about how CAs can
easily fake certificates for eavesdropping on individual connections, let's
offer some instructions on how to detect and maybe avoid that.

Based on my own experience, I think that that is indeed a huge subject field, so
I think it was a good decision to leave it as is for the first release.  But I
am also fairly certain that ignoring the subject won't make any of the problems
go away.

Just my €.02.

Help others.  Failing in that, do no harm.
                                       ---Dalai Lama


Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)

Tobias Dussa
CERT Manager, CA Manager

Zirkel 2
Building 20.21
76131 Karlsruhe, Germany

Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
Web: http://www.kit.edu/

KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association

More information about the Ach mailing list