[Ach] Publish own CA certificate. Loss of security?
ianG
iang at iang.org
Sun Jan 19 13:46:45 CET 2014
On 19/01/14 13:29 PM, Torge Riedel wrote:
> Hi,
>
> just a question I was just faced with:
>
> For my own server I created my own CA certificate with which I signed
> new certificates for all of my services. My CA certificate is protected
> by a key.
The public key is in the certificate, unencrypted. The private key is
kept private, and is typically protected by a secret key (encrypted).
> Is it a loss of security if I publish the CA certificate by -
> let's say - a web site so visitors of my https-protected web site can
> import it to their browser's cert list?
That is the theory and the intent: you publish the public key, and then
your users (or their browsers) can rely on it.
> As I understood no one else can use my CA certificate to sign own
> certificates without knowing the key. Is this right?
Correct.
However, the security relies on some assumptions: Primarily that you
created your key well. If you have not used a good RNG then it might be
that someone can crunch it. This was the problem with the Debian and
Android attacks -- the RNGs failed, and crunches and hacks followed.
It's also been shown tnat some non-trivial proportion of keys on the net
are the same key or can be crunched if you know what the platform is,
because the RNG was weak.
iang
More information about the Ach
mailing list