[Ach] StartSSL for Business Sysadmins

Alexander Wuerstlein arw at cs.fau.de
Tue Jan 14 23:35:30 CET 2014


On 14-01-14 21:23, Tobias Dussa (SCC) <tobias.dussa at kit.edu> wrote:
> Hi,
> 
> On Tue, Jan 14, 2014 at 05:55:01PM +0100, Aaron Zauner wrote:
> > > I can confirm this. At least for the Austrian Grid CA.
> > PS: you actually need to show up there and provide identification and
> > certification that you are who you say you are and are eligible for a
> > Grid CA cert request.
> 
> The same goes for any DFN-PKI sub-CA.  IMHO both the DFN PKI and the EUGridPMA
> PKI are poster-boy examples of how to run CAs sensibly.  (Though admittedly I
> think the DFN-PKI is a little more user-friendly.)

Yes, the personal touch of our DFN Sub-CA guys knowing where my office is and
being able to meet them at the coffeemaker is certainly something
trust-building, in addition to the higher "no, email to ssladmin@
doesn't suffice, I need you and your passport" standards.

On the other hand I've attended a talk by the SSL observatory guys who
worried about the sprawl of DFN Sub-CAs (basically there is one CA for
each German university though the CA software infrastructure provided by
the DFN limits their ability to sign to their respective domain(s)) and
the potential dangers that might bring. And I can't really blame them
for worrying.



Ciao,

Alexander Wuerstlein.



More information about the Ach mailing list