[Ach] StartSSL for Business Sysadmins

Alexander Wuerstlein arw at cs.fau.de
Mon Jan 13 15:26:00 CET 2014

On 14-01-13 14:24, robin.balean at a-trust.at <robin.balean at a-trust.at> wrote:
> I find the CA bashing on this list a bit naive and irresponsible. 
> Some CAs also issue qualified certificates for governments, which have
> even higher security requirements.  

Which isn't much of an assurance if the higher requirement is "and give
us MitM-certificates if we request them". And if the likes of RSA can be
paid to include questionable crypto, surely any CA can be bought or
bullied into compliance with some ominous "and make sure our lawful
interception stuff can read SSL" request. And of course you may remember
Diginotar and the "Staat der Nederlanden" disaster. The concept of "its
secure because somebody (government or private organisation) certified
it to be secure" is problematic.

> Employees who go anywhere near these systems need security clearances
> and every action needs dual authorisation.

Physical security may be nice in general, but its beside the point. All
your steel doors with two locks and stuff won't help if a) your software
is faulty (please show me the CA that has its root cert completely and
utterly offline, some HSM doesn't count) or b) your two employees do
stupid stuff anyways because the boss or their wallet says so.

> Of course anyone can create a CA for free just like anyone can create
> an identity document for free.  But just as there is a difference
> between your passport and your supermarket loyalty card, there is a
> difference between a certificate issued by serious commercial CA and a
> free CA.

Which would be what difference exactly? The price of the doors on the
server room? "There is more money thrown around" is not an argument I
could trust.

> Certainly I would not be comfortable going to my internet banking site
> if it were not using an SSL certificate issued by a CA whose policy
> and operations I trust.  

Yes, but why should one trust a more expensive CA over a cheap one? I
personally can't check the policy and operations of either one. And I
can't trust any audits like WebTrust or similar either since e.g.
DigiNotar certainly passed such an audit without the relevant problems
being discovered.

I can marginally trust the absence of public complaints about fake
certificates issued by CAs and the browser vendors' (usually too weak)
reaction to the cases were such fake certificates were issued. But that
mechanism only works after-the-fact and of course there may be a blind
area of things like wildcard certificates we just don't hear about.
There are some indications that there may be a larger market and blind
area for such wildcard certificates[0], and surely you will not get
those ones cheaply :)

> Surely the ACH document should be advising that non-serious CAs be
> removed from these lists

So everybody except your employer, I guess? ;) I can imagine that you
are sure that nothing can go wrong in your organisation, but why should
anybody else have that same trust? I can't see a reason. You only stated
the likes of "there is more money thrown around".

> instead of encouraging administrators to obtain their certificates
> from them.

Which would leave users with nonworking configurations. Currently the
only real purpose for certificates is "make the browser shut up about
those certificates when doing SSL". If one removes previously trusted
CAs from the browsers, random websites will stop working which will
either lead to fallback to plaintext or users being "educated" to just
click that "ignore and accept" button on every random CA problem. Which
is not only counterproductive but dangerous.

For everything else there are more trustworthy, systematically better
alternatives like ssh- and GPG-keys. Or private, organisation-wide CAs,
but with those there are still the generally weird problems with X.509


Alexander Wuerstlein.

[0] "[...] ut the reality is in my opinion that this is a common
industry practice.",

More information about the Ach mailing list