[Ach] StartSSL for Business Sysadminsy
Tobias Dussa (SCC)
tobias.dussa at kit.edu
Wed Jan 15 09:46:26 CET 2014
Hi,
On Wed, Jan 15, 2014 at 11:20:57AM +0300, ianG wrote:
> > Dunno. It always feels like those folks are just scared by the concept of
> > sub-CAs, frankly.
> Oh, no, they are scared by experience, or is that scarred?
Possibly.
> The trick that was employed by some of the majors was to sell sub-CAs
> for a profit, and when the abuses started being discovered, the (top)CAs
> would say things like: "oh, that's a separate business and we have no
> control over them, and they have a separate policy, and it is all under
> NDA so we can't tell you about them, nor can we tell you about any
> others or even if we have any sub-CAs....."
Well, what can you say. I mentioned this before: Yes, you can set up CAs with a
crappy modus operandi. -:)
> This series of easy excuses tricked the browser vendors for a while. It
> took them a while to work through the deceptions and twists. After a
> while, people just got jaundiced, and a proportion of them just went to
> war; no sub-CAs. Mostly because the CAs did not play fair.
Pity.
> Of course, I'm not saying that all CAs were like this. Enough however
> were like this to spoil the pot. The problem with the PKI business is
> that you all sink or swim together, so some bad apples quickly ruins the
> barrel.
Well, hm, sorta. All depends on what you are trying to do.
> For the most part, sub-CAs are more controlled now, the principle that
> the (top) CA is fully responsible for everything has been somewhat
> established. However, games are still going on, someone posted me a day
> or so ago about advertising for dodgy sub-CAs. So it will take a while.
Works here.
> Which brings up the other poison in the industry: secrecy. So much is
> done in secrecy that many people on the outside have given up and
> believe the whole PKI is rotten to the core.
Trust is a hard thing to regain once it is lost. I do agree on the secrecy
being bad part.
Cheers,
Toby.
--
We're Germans and we use Unix. That's a combination of two demographic
groups known to have no sense of humour whatsoever.
---Hanno Mueller in de.comp.os.unix.programming
----
Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
KIT-CERT
Tobias Dussa
CERT Manager, CA Manager
Zirkel 2
Building 20.21
76131 Karlsruhe, Germany
Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
Web: http://www.kit.edu/
KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association
More information about the Ach
mailing list