[SSL Observatory] one-key-per-server tradeoffs [Re: SSL CA compromise in the wild]
Chris Palmer
chris at eff.org
Wed Mar 23 16:38:41 PDT 2011
On 03/23/2011 11:47 AM, Daniel Kahn Gillmor wrote:
> I think you've mixed up "identity" with "certificate".
"Certificate" is the "identity" that matters in this context.
> One security advantage of the one-key-per-server approach is that it
> becomes possible to use un-extractable keys, generated in hardware
> designed to never produce the secret key material.
And how much did that help USERTRUST? Probably somewhat — USERTRUST
claims the attackers could only sign arbitrary certificates, but not
exfiltrate the private key. But how much safer do you feel? :)
> Such a key could not be stolen other than by compromise of the server on
> which it resides. As long as physical control over a machine is
> maintained, you can put a stop to abuse of a compromised key simply by
> turning it off, and not have to deal with the rest of the broken
> revocation infrastructure.
Actually, the attackers will be able to abuse their fraudulent certs for
as long as it takes for users to get the latest and greatest browsers.
(Quite a while, except for Chrome users.)
(And what about that "Global Trustee" certificate they signed for
themselves? Is that an intermediate signing CA? Do the browsers
correctly blacklist all leaf certs signed with that cert?)
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
https://www.eff.org/code
More information about the Observatory
mailing list