[SSL Observatory] Number of CAs
Erwann ABALEA
erwann at abalea.com
Thu Dec 8 10:44:04 PST 2011
2011/12/8 Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> On 12/08/2011 12:44 PM, Ben Wilson wrote:
> > I think this group needs to define the problem more accurately.
>
> I outlined the problem as i saw it several years ago, which is that the
> design of X.509 as a single-issuer certification is fundamentally flawed:
>
> http://lair.fifthhorseman.net/~dkg/tls-centralization/
How did you come to write that the software used by VeriSign and most CAs
is based on OpenSSL and a few graphical front-ends such as TinyCA, without
any expensive hardware?
I deployed VeriSign's software in 1998 in our facility, operated it,
studied and reverse engineered some parts of it, until 2004, and really,
there's no single piece of OpenSSL or GNUTLS inside it. The whole stuff is
written with role separation in mind, multi-tier design, high-availability,
and comes with high physical and procedural requirements. What has just
been proposed by Symantec on the CABForum is exactly what they're doing
since those early days (easy for them, since they bought VeriSign).
Since 2004, we're hosting our own product, written following the same
(good) rules, with success.
I'm sure a lot of recognized CAs do the same, more or less.
The fact that DigiNotar, and now KPN have proven do be bad actors doesn't
mean that all of the others are as bad.
--
Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111208/1ca93951/attachment.html>
More information about the Observatory
mailing list