[Ach] StartSSL for Business Sysadmins

Tobias Dussa (SCC) tobias.dussa at kit.edu
Tue Jan 14 10:37:26 CET 2014 

Hi,

On Tue, Jan 14, 2014 at 11:38:52AM +0300, ianG wrote:
> > That depends entirely on how the client is set up and CAN be addressed.  That is
> > EXACTLY the point: Whining about how everything is broken if implemented in a
> > stupid way is nice, but what is needed is some advise on what to do about it
> > sensibly.
> Write it?  Provide it?

I'm not saying I won't contribute to that and, in fact, I have already
contributed to that.

What you're saying is you would like to keep the entire subject out of ACH.
That's what I'm opposed to, that's all I'm saying.  I'm not saying you should be
the one contributing stuff in that domain.

> I'm not sure clients can be set up and addressed.

Bah, sure they can.  Same as with ssh.  All a matter of making a trade-off
between usability and security.

> It might be possible to provide advice for a corporation to setup and
> configure all its web browsers, but I hadn't heard this was easy.  The
> big problem with web browsers is that they assume that all CAs are the
> same, and as you so manifestly say, this isn't the case.

Yep.  Certainly.  So this is an issue that must be addressed, at the very least
by educating the user about this fact so that she can make informed decisions.
Just saying "bah, this is all broken, I refuse even to talk about it" is not a
sensible thing to do, I'm sorry.

> So either the corporate reconfigures the root list (to what? not easy)
> or the the browsers display the CAs prominently (which they refuse to do
> normally, is there a config that will make them do that?) and we get the
> users to learn their favourite brands.
> What is it that you are hinting of?  If you can add to this, I'm not
> proud, I'll be the first to steal you advice and push it through CAcert :)

What do you mean "what I am hinting of?"  What do I propose users should be
told?  At the very least, they need to be enabled to make conscious decisions.
Leaving as it is, which I agree is bad, effectively doesn't help to increase
security.
Then, people should consider removing those CAs that they feel are fishy.  Yes,
that is a murky decision to make, and we should not make that for the users, but
again, providing some guidelines is much better than just ignoring the subject
and hoping it'll go away on its own (which it won't).

Then there's things like the Perspectives plugin and certificate pinning and
stuff.  This all helps a bit, but people need to know about it.

For non-browser applications, chances are much better that trimming down the
list of trusted CAs to a handful or even just one CA is actually feasible.  In
that case, much of the criticism about X.509 just vanishes.

I'm certain there's a lot of other aspects that I didn't think of right now.

> >> Those "Free" packaged are not really free. Either the cert is a marketing
> >> tool, or there is some other business model. Startssl.com ist not 100% free,
> >> e.g. they charge for revocation.
> > So what's the business model for CAcert?
> Good and difficult question.  For CAcert, it's mission is more or less
> to protect its members.

My point exactly.  The assumption above was that a free CA is not really free
(in terms of costs) but there is some underlying heineous marketing scheme.  All
I was saying is that I am not aware of such a scheme with CAcert.

> As a "cost" equation, using CAcert certificates is actually quite
> expensive (leaving aside the root list issue).  You have to get assured
> and that can take some time and visits and expense.  I also noticed

That might or might not be the case.  Here in our neck of the woods, you can get
assured pretty much instantly at no cost at all except that you have to somehow
arrange to come to KIT once (which obviously is probably not nothing but also
not even close to the $60/year you quoted for StartSSL).

Cheers,
Toby.
-- 
Honk if you love peace and quiet!

----

Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
KIT-CERT

Tobias Dussa
CERT Manager, CA Manager

Zirkel 2
Building 20.21
76131 Karlsruhe, Germany

Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
Web: http://www.kit.edu/

KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association

More information about the Ach mailing list