[Ach] StartSSL for Business Sysadmins

robin.balean at a-trust.at robin.balean at a-trust.at
Mon Jan 13 14:22:48 CET 2014

I find the CA bashing on this list a bit naive and irresponsible. 

A professional commercial CA is normally far more trustworthy than a free CA because of the infrastructure and security of their datacentres, their adherence to certificate security policies, the availability of their OCSP and CRLs, the money they guarantee to pay should one of their certificates be falsely issued, and so on.  All of their infrastructure and policies often required to be certified and regularly audited.  Some CAs also issue qualified certificates for governments, which have even higher security requirements.  Employees who go anywhere near these systems need security clearances and every action needs dual authorisation.

Of course anyone can create a CA for free just like anyone can create an identity document for free.  But just as there is a difference between your passport and your supermarket loyalty card, there is a difference between a certificate issued by serious commercial CA and a free CA.  Certainly I would not be comfortable going to my internet banking site if it were not using an SSL certificate issued by a CA whose policy and operations I trust.  

There are legitimate reasons for running an in-house CA for securing internal services.   In many cases something like the Microsoft CA will be exactly what you will need.  However if you need to run any services that must be trusted externally such as web servers or mail servers, you are will need to obtain a certificate from a CA that is trusted outside of the organisation.  Unless you are enabling SSL just to tick a box, then you really should make sure that the CA you use is appropriately secure and reliable.

One of the real issues with CAs that needs to be covered in ACH is the trust lists that are automatically built into many browsers, applications and devices.  There are many CAs that in these lists that an administrator may not necessarily want to trust by default.  Some are CAs that have no relevance to the applications that are being used while others are ones that should not be trusted because of their insecure operations.

Surely the ACH document should be advising that non-serious CAs be removed from these lists instead of encouraging administrators to obtain their certificates from them.


More information about the Ach mailing list