[SSL Observatory] Number of CAs
Phillip Hallam-Baker
hallam at gmail.com
Fri Dec 9 05:44:28 PST 2011
As with a previous proposal, there are two ways that 'CA redundancy' can be
interpreted:
1) Client can take a certificate from either CA.
2) Both CA certificates must be valid.
add in the single CA case as case 0 and we get
Single point of failure, failure to issue
Case 0: Fail (closed)
Case 1: Success
Case 2: Fail (closed)
Single point of failure, issue of false cert
Case 0: Fail (open)
Case 1: Fail (open)
Case 2: Fail (closed)
If you add in a three CA option with voting you can get to success in both
cases. But otherwise having the multiple CA check does not provide much of
a benefit.
Three CA certs does not look likely to be a compelling business case when
dealing with commercial risk. Which is a real shame from my standpoint. I
am more than happy to tell my CEO that we need to triple demand for certs.
But I don't think I can sell that to customers.
On Thu, Dec 8, 2011 at 6:25 PM, Erwann Abalea <eabalea at gmail.com> wrote:
>
> Le 9 déc. 2011 00:16, "Adam Langley" <agl at google.com> a écrit :
>
> >
> > On Thu, Dec 8, 2011 at 6:10 PM, Erwann Abalea <eabalea at gmail.com> wrote:
> > > 2 certificates, one with an RSA key, the other with a DSA key. This is
> > > supported both by the protocol (SSL3 at least), and by Apache. The 2
> > > certificates can of course be delivered by different CAs. I haven't
> tested
> > > the browsers' behavior, it may be a good thing to do ;)
> >
> > That certainly works, but the server selects only one certificate
> > chain to serve based on the selected cipher suite. Since the client's
> > advertised cipher suites are basically fixed, a given client will
> > always get the same chain, so I don't believe that this achieves the
> > CA redundancy that Daniel was looking for.
>
> True. That was a stupid idea, I just noticed this while reading RFC2246.
> This would require the client to send 2 different ciphersuites with the
> hope that 2 different certificates would show. With ECDSA, you can extend
> this stupid behavior to 3 different stuff.
>
> --
> Erwann.
>
--
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111209/864a443d/attachment.html>
More information about the Observatory
mailing list