[Ach] StartSSL for Business Sysadmins

Tobias Dussa (SCC) tobias.dussa at kit.edu
Tue Jan 14 23:51:20 CET 2014


On Tue, Jan 14, 2014 at 11:35:30PM +0100, Alexander Wuerstlein wrote:
> > The same goes for any DFN-PKI sub-CA.  IMHO both the DFN PKI and the EUGridPMA
> > PKI are poster-boy examples of how to run CAs sensibly.  (Though admittedly I
> > think the DFN-PKI is a little more user-friendly.)
> Yes, the personal touch of our DFN Sub-CA guys knowing where my office is and
> being able to meet them at the coffeemaker is certainly something
> trust-building, in addition to the higher "no, email to ssladmin@
> doesn't suffice, I need you and your passport" standards.


> On the other hand I've attended a talk by the SSL observatory guys who
> worried about the sprawl of DFN Sub-CAs (basically there is one CA for
> each German university though the CA software infrastructure provided by
> the DFN limits their ability to sign to their respective domain(s)) and
> the potential dangers that might bring. And I can't really blame them
> for worrying.

Dunno.  It always feels like those folks are just scared by the concept of
sub-CAs, frankly.  One single look at how the DFN PKI show is run is enough to
understand that this is actually exactly how things are supposed to work out

I see why people are scared though.  Pretty much nobody other than DFN ever
bothered to set it up right, so the DFN PKI is pretty much the only CA with a
serious number of active sub-CAs.  (Looks really nice on the SSL map of the SSL
observatory though. -:))  Leads to very curious problems as well.  For most
major vendors we encounter -- mostly hardware vendors at that -- the concept of
having a sub-CA is so alien that usually the first bug report/feature request
that we have to file whenever we get a new line of products is that we would
really, really, really like to be able to configure not only a certificate and
its key into an appliance's web interface, but also a *gasp* certificate
chain...  Usually takes them ages to get the concept and another eon to
implement. *sigh* :-)
BTW, this is an example of a perfectly legit use case for X.509 IMHO.  Why
bother collecting and keeping track of self-rolled SSH keys of, say, KVM
switches when you can just put real SSL certificates from a known good CA on
them and just be done with it?

Those of you who think they know everything are very annoying to those
of us who do!


Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)

Tobias Dussa
CERT Manager, CA Manager

Zirkel 2
Building 20.21
76131 Karlsruhe, Germany

Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
Web: http://www.kit.edu/

KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association

More information about the Ach mailing list