[Ach] Publish own CA certificate. Loss of security?

Karsten Iwen ki at iwen.de
Sun Jan 19 12:47:55 CET 2014

> Is it a loss of security if I publish the CA certificate by - let's say - a web site so visitors of my https-protected web site can import it to their browser's cert list?
> As I understood no one else can use my CA certificate to sign own certificates without knowing the key. Is this right?

You are right that no one else can use that certificate for signing own certificates. But still I would consider that a very bad security practice.
If you ask your visitors to install your CA certificate, you ask them to trust you and your security-practices. With that you could (more or less easily) intercept their HTTPS-traffic. And if you don't handle your security right (you should always assume that you also do mistakes) then others can intercept their traffic. 

Why should you ask them to trust you in that way especially when there are other ways available that work without that?

regards, Karsten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140119/d55fe744/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 671 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140119/d55fe744/attachment.sig>

More information about the Ach mailing list