nanog mailing list archives
Re: Gmail and SSL
From: Jimmy Hess <mysidia () gmail com>
Date: Sun, 30 Dec 2012 19:25:04 -0600
On 12/30/12, Keith Medcalf <kmedcalf () dessus com> wrote:
Your assertion that using "bought" certificates provides any security benefit whatsoever assumes facts not in evidence.
I would say those claiming certificates from a public CA provide no assurance of authentication of server identity greater than that of a self-signed one would have the burden of proof to show that it is no less likely for an attempted forger to be able to obtain a false "bought" certificate from a public trusted CA that has audited certification practices statement, a certificate improperly issued contrary to their CPS, than to have created a self-issued false self-signed certificate. It is certainly contrary to some basis on which web browser implementations of HTTPS and TLS in practice rely upon. While there have been failure in that area, regarding some particular CAs, and some particular certificates, the reported occurrences of this were sufficiently rare, that one doubts "obtaining an improperly issued certificate from a widely trusted CA" is an easy feat for the most likely attackers to accomplish. So I would be very interested in any data you had to show that a CA signature provides no additional assurance; Especially, when combined with a policy of requiring manual human verification of the certificate fingerprint, and manual human agreement that the CA's CPS is strict enough for this certificate usage, after all the automatic checks that it was properly signed by a well-known CA with an audited CPS statement, with the usage of the certificate key matching an allowed usage declared by the Type/EKU/CA attributes of the subject and issuer certs. -- -JH
Current thread:
- Re: Gmail and SSL, (continued)
- Re: Gmail and SSL Peter Kristolaitis (Dec 14)
- Re: Gmail and SSL Maxim Khitrov (Dec 14)
- RE: Gmail and SSL Matthew Black (Dec 14)
- Re: Gmail and SSL Peter Kristolaitis (Dec 14)
- Re: Gmail and SSL Christopher Morrow (Dec 14)
- Re: Gmail and SSL Jasper Wallace (Dec 20)
- Re: Gmail and SSL Peter Kristolaitis (Dec 14)
- Message not available
- Re: Gmail and SSL Peter Kristolaitis (Dec 29)
- Re: Gmail and SSL Christopher Morrow (Dec 30)
- Re: Gmail and SSL Jimmy Hess (Dec 30)
- Re: Gmail and SSL John Levine (Dec 30)
- Re: Gmail and SSL Jimmy Hess (Dec 30)
- Re: Gmail and SSL Rich Kulawiec (Dec 31)
- Re: Gmail and SSL John R. Levine (Dec 31)