[Ach] StartSSL for Business Sysadmins

Tobias Dussa (SCC) tobias.dussa at kit.edu
Tue Jan 14 23:51:20 CET 2014 

Hi,

On Tue, Jan 14, 2014 at 11:35:30PM +0100, Alexander Wuerstlein wrote:
> > The same goes for any DFN-PKI sub-CA.  IMHO both the DFN PKI and the EUGridPMA
> > PKI are poster-boy examples of how to run CAs sensibly.  (Though admittedly I
> > think the DFN-PKI is a little more user-friendly.)
> Yes, the personal touch of our DFN Sub-CA guys knowing where my office is and
> being able to meet them at the coffeemaker is certainly something
> trust-building, in addition to the higher "no, email to ssladmin@
> doesn't suffice, I need you and your passport" standards.

;-)

> On the other hand I've attended a talk by the SSL observatory guys who
> worried about the sprawl of DFN Sub-CAs (basically there is one CA for
> each German university though the CA software infrastructure provided by
> the DFN limits their ability to sign to their respective domain(s)) and
> the potential dangers that might bring. And I can't really blame them
> for worrying.

Dunno.  It always feels like those folks are just scared by the concept of
sub-CAs, frankly.  One single look at how the DFN PKI show is run is enough to
understand that this is actually exactly how things are supposed to work out
IMHO.

I see why people are scared though.  Pretty much nobody other than DFN ever
bothered to set it up right, so the DFN PKI is pretty much the only CA with a
serious number of active sub-CAs.  (Looks really nice on the SSL map of the SSL
observatory though. -:))  Leads to very curious problems as well.  For most
major vendors we encounter -- mostly hardware vendors at that -- the concept of
having a sub-CA is so alien that usually the first bug report/feature request
that we have to file whenever we get a new line of products is that we would
really, really, really like to be able to configure not only a certificate and
its key into an appliance's web interface, but also a *gasp* certificate
chain...  Usually takes them ages to get the concept and another eon to
implement. *sigh* :-)
BTW, this is an example of a perfectly legit use case for X.509 IMHO.  Why
bother collecting and keeping track of self-rolled SSH keys of, say, KVM
switches when you can just put real SSL certificates from a known good CA on
them and just be done with it?

Cheers,
Toby.
-- 
Those of you who think they know everything are very annoying to those
of us who do!

----

Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
KIT-CERT

Tobias Dussa
CERT Manager, CA Manager

Zirkel 2
Building 20.21
76131 Karlsruhe, Germany

Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
Web: http://www.kit.edu/

KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association

More information about the Ach mailing list