<div dir="ltr">It's one thing to explain how X.509 and so forth work, another to tell people how to use the website of a CA and which CAs are out there. I agree that the section on CAs is pretty small and needs some improvement - but we should neither do marketing for vendors nor assume that our readers have no understanding about system administration. After all, that's pretty basic stuff, right?<div>
<br></div><div>Full disclosure: IMHO X.509 is a bullshit protocol for online trust. You can't have a network comprised of autonomous systems relying on a hierarchical trust structure that provides higher up levels in the chain zero confirmability for authenticity or security. meaning - as recent history has shown and academia told us long ago - a CA can be compromised easily, can issue faulty certificates or issue certs for sub-CAs that will be, because of the chaining, instantly trusted by any browser or client. These facts have been exploited widely, with CAs giving some companies sub-CAs to man-in-the-middle SSL/TLS traffic of employees surfing. And that's just one example. Most CAs do not even get the Key Usage flag of their certificates right, which is why some software implementations dealing with X.509 chose to simply ignore it. This field is used to state WHAT the certificate is actually meant to be used for. I think it's long overdue to replace this piece of shit. It's complicated, was designed for telephony indices, has a lot of weaknesses and no means for provable authenticity or security as it's used and deployed today. We'd need something like a decision protocol where a majority of clients/servers using the protocol vote if a actor (service, server, company) is trustable. Propagation and updating of information might be an issue, I've not yet found a good solution for that, neiter for networks that are very small and not connected to the internet. There are papers and some software implementations on protocols like that, I think they could be used as a replacement if done well.</div>
<div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jan 12, 2014 at 6:41 PM, Andreas Mirbach <span dir="ltr"><<a href="mailto:a.mirbach@me.com" target="_blank">a.mirbach@me.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Okay got it.<br>
Have you reviewed my poll fot the iis section?<br>
Can i help with some testing in this section?<br>
<br>
Sent from my iPad<br>
<div class="HOEnZb"><div class="h5"><br>
> On 12.01.2014, at 18:35, "L. Aaron Kaplan" <<a href="mailto:kaplan@cert.at">kaplan@cert.at</a>> wrote:<br>
><br>
><br>
>> On Jan 12, 2014, at 6:24 PM, Andreas Mirbach <<a href="mailto:a.mirbach@me.com">a.mirbach@me.com</a>> wrote:<br>
>><br>
>> Hi Aaron,<br>
>><br>
>> in my opinion a security guide that discuss just a view cipher oders has no value at all. The document title is applied crypto hardening and it is aimed to be a copy and paste reference for sysadmins. In an "applied" real world scenario there are CAs involved in the crypto chain. It is essential to understand crypto security as a process of many things come and work together. It's not just some console commands and the use of commonly thusted ciphers.<br>
><br>
> Andreas,<br>
><br>
> you might be right but in the beginning we had to make some decisions what is "in scope" in the first version and "out of scope" and might be put into a later version or a different document (which of course should be referenced).<br>
><br>
> At that time, we all looked at the PKI issues and were saying to ourselves: "if we document all that we are never going to be finished " ;-) That's why became "out of scope" for the first version.<br>
><br>
>> I agree with you that this i maybe a topic for a second document.<br>
><br>
> :)<br>
><br>
> ACK<br>
><br>
><br>
> ---<br>
> // L. Aaron Kaplan <<a href="mailto:kaplan@cert.at">kaplan@cert.at</a>> - T: <a href="tel:%2B43%201%205056416%2078" value="+431505641678">+43 1 5056416 78</a><br>
> // CERT Austria - <a href="http://www.cert.at/" target="_blank">http://www.cert.at/</a><br>
> // Eine Initiative der <a href="http://nic.at" target="_blank">nic.at</a> GmbH - <a href="http://www.nic.at/" target="_blank">http://www.nic.at/</a><br>
> // Firmenbuchnummer 172568b, LG Salzburg<br>
><br>
><br>
><br>
><br>
</div></div><div class="HOEnZb"><div class="h5">> _______________________________________________<br>
> Ach mailing list<br>
> <a href="mailto:Ach@lists.cert.at">Ach@lists.cert.at</a><br>
> <a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach" target="_blank">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a><br>
_______________________________________________<br>
Ach mailing list<br>
<a href="mailto:Ach@lists.cert.at">Ach@lists.cert.at</a><br>
<a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach" target="_blank">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a><br>
</div></div></blockquote></div><br></div>