[SSL Observatory] Number of CAs

Erwann ABALEA erwann at abalea.com
Thu Dec 8 12:50:27 PST 2011 

Bonsoir,

2011/12/8 Daniel Kahn Gillmor <dkg at fifthhorseman.net>

> On 12/08/2011 01:44 PM, Erwann ABALEA wrote:
> > How did you come to write that the software used by VeriSign and most CAs
> > is based on OpenSSL and a few graphical front-ends such as TinyCA,
> without
> > any expensive hardware?
>
> I beg your pardon, I was clearly factually wrong there, but i think
> you've missed the point of what i was trying to say.  The point there
> was that the hardware or software or software to run a CA doesn't need
> to be expensive or exclusive.  i shouldn't have claimed that you didn't
> spend a lot of money on your particular implementation.   i've just
> fixed the article.
>

I don't have any problem with free and auditable software, of course, we
use them everyday, and participate in their evolution. You can build a PKI
using such products (and even integrate HSMs into command-line OpenSSL use,
if you want). But as was said earlier by Patrick Patterson, the trust in a
PKI doesn't rely (only) on the technical aspects. 90% of the value of a PKI
is on procedures, audits, facilities, etc. That's true. Neglect it and your
PKI project will surely fail.

We spent a lot of time (and money) to develop our products, but we are
today spending a lot more to securely operate it.
For example, with separation of duties, simply activating an HSM for online
use requires 6 or 7 different people (only 1 from the IT staff, the others
are shareholders, key manager, Q&A staff), several vaults, biometric access
controls, all this on distant places (several km away), and every operation
is logged (paper). A Key Ceremony involves additional people (a notary to
validate identities, a professional video staff to operate the internal
video circuit and create DVDs of the whole operations, customer
representatives to witness the operations, other shareholders, ...) and is
performed in a dedicated room with no network connectivity, no window, dual
biometric access control. These are the kind of procedures Patrick was
talking about.



> The problem is that if any one of your competitors is a bad actor, all
> your policy compliance is meaningless for your relying parties, since
> they're relying on your competitors as well. :(


That's true. And I'm sure our competitors are also suffering from the bad
press the X.509 model is getting since a few months.
That's why the CABForum is working, and represented user base discussing
(I'm talking about Mozilla, the only open process I know of).

-- 
Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111208/a7a9500c/attachment.html>

More information about the Observatory mailing list