[Ach] StartSSL for Business Sysadmins

ianG iang at iang.org
Wed Jan 15 09:20:57 CET 2014

On 15/01/14 01:51 AM, Tobias Dussa (SCC) wrote:
> Hi,
> On Tue, Jan 14, 2014 at 11:35:30PM +0100, Alexander Wuerstlein wrote:
>>> The same goes for any DFN-PKI sub-CA.  IMHO both the DFN PKI and the EUGridPMA
>>> PKI are poster-boy examples of how to run CAs sensibly.  (Though admittedly I
>>> think the DFN-PKI is a little more user-friendly.)
>> Yes, the personal touch of our DFN Sub-CA guys knowing where my office is and
>> being able to meet them at the coffeemaker is certainly something
>> trust-building, in addition to the higher "no, email to ssladmin@
>> doesn't suffice, I need you and your passport" standards.
> ;-)
>> On the other hand I've attended a talk by the SSL observatory guys who
>> worried about the sprawl of DFN Sub-CAs (basically there is one CA for
>> each German university though the CA software infrastructure provided by
>> the DFN limits their ability to sign to their respective domain(s)) and
>> the potential dangers that might bring. And I can't really blame them
>> for worrying.
> Dunno.  It always feels like those folks are just scared by the concept of
> sub-CAs, frankly.

Oh, no, they are scared by experience, or is that scarred?

The trick that was employed by some of the majors was to sell sub-CAs
for a profit, and when the abuses started being discovered, the (top)CAs
would say things like:  "oh, that's a separate business and we have no
control over them, and they have a separate policy, and it is all under
NDA so we can't tell you about them, nor can we tell you about any
others or even if we have any sub-CAs....."

This series of easy excuses tricked the browser vendors for a while.  It
took them a while to work through the deceptions and twists.  After a
while, people just got jaundiced, and a proportion of them just went to
war;  no sub-CAs.  Mostly because the CAs did not play fair.

Of course, I'm not saying that all CAs were like this.  Enough however
were like this to spoil the pot.  The problem with the PKI business is
that you all sink or swim together, so some bad apples quickly ruins the

For the most part, sub-CAs are more controlled now, the principle that
the (top) CA is fully responsible for everything has been somewhat
established.  However, games are still going on, someone posted me a day
or so ago about advertising for dodgy sub-CAs.  So it will take a while.

Which brings up the other poison in the industry:  secrecy.  So much is
done in secrecy that many people on the outside have given up and
believe the whole PKI is rotten to the core.


> One single look at how the DFN PKI show is run is enough to
> understand that this is actually exactly how things are supposed to work out
> I see why people are scared though.  Pretty much nobody other than DFN ever
> bothered to set it up right, so the DFN PKI is pretty much the only CA with a
> serious number of active sub-CAs.  (Looks really nice on the SSL map of the SSL
> observatory though. -:))  Leads to very curious problems as well.  For most
> major vendors we encounter -- mostly hardware vendors at that -- the concept of
> having a sub-CA is so alien that usually the first bug report/feature request
> that we have to file whenever we get a new line of products is that we would
> really, really, really like to be able to configure not only a certificate and
> its key into an appliance's web interface, but also a *gasp* certificate
> chain...  Usually takes them ages to get the concept and another eon to
> implement. *sigh* :-)
> BTW, this is an example of a perfectly legit use case for X.509 IMHO.  Why
> bother collecting and keeping track of self-rolled SSH keys of, say, KVM
> switches when you can just put real SSL certificates from a known good CA on
> them and just be done with it?
> Cheers,
> Toby.

More information about the Ach mailing list