[Ach] StartSSL for Business Sysadminsy

Tobias Dussa (SCC) tobias.dussa at kit.edu
Wed Jan 15 09:46:26 CET 2014


Hi,

On Wed, Jan 15, 2014 at 11:20:57AM +0300, ianG wrote:
> > Dunno.  It always feels like those folks are just scared by the concept of
> > sub-CAs, frankly.
> Oh, no, they are scared by experience, or is that scarred?

Possibly.

> The trick that was employed by some of the majors was to sell sub-CAs
> for a profit, and when the abuses started being discovered, the (top)CAs
> would say things like:  "oh, that's a separate business and we have no
> control over them, and they have a separate policy, and it is all under
> NDA so we can't tell you about them, nor can we tell you about any
> others or even if we have any sub-CAs....."

Well, what can you say.  I mentioned this before: Yes, you can set up CAs with a
crappy modus operandi. -:)

> This series of easy excuses tricked the browser vendors for a while.  It
> took them a while to work through the deceptions and twists.  After a
> while, people just got jaundiced, and a proportion of them just went to
> war;  no sub-CAs.  Mostly because the CAs did not play fair.

Pity.

> Of course, I'm not saying that all CAs were like this.  Enough however
> were like this to spoil the pot.  The problem with the PKI business is
> that you all sink or swim together, so some bad apples quickly ruins the
> barrel.

Well, hm, sorta.  All depends on what you are trying to do.

> For the most part, sub-CAs are more controlled now, the principle that
> the (top) CA is fully responsible for everything has been somewhat
> established.  However, games are still going on, someone posted me a day
> or so ago about advertising for dodgy sub-CAs.  So it will take a while.

Works here.

> Which brings up the other poison in the industry:  secrecy.  So much is
> done in secrecy that many people on the outside have given up and
> believe the whole PKI is rotten to the core.

Trust is a hard thing to regain once it is lost.  I do agree on the secrecy
being bad part.

Cheers,
Toby.
-- 
We're Germans and we use Unix.  That's a combination of two demographic
groups known to have no sense of humour whatsoever.
                      ---Hanno Mueller in de.comp.os.unix.programming

----

Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
KIT-CERT

Tobias Dussa
CERT Manager, CA Manager

Zirkel 2
Building 20.21
76131 Karlsruhe, Germany

Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
Web: http://www.kit.edu/

KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association



More information about the Ach mailing list