[SSL Observatory] one-key-per-server tradeoffs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Mar 23 19:15:09 PDT 2011
On 03/23/2011 07:38 PM, Chris Palmer wrote:
> On 03/23/2011 11:47 AM, Daniel Kahn Gillmor wrote:
>
>> I think you've mixed up "identity" with "certificate".
>
> "Certificate" is the "identity" that matters in this context.
i would propose that "identity" is the actual identity information
contained *within* the certificate in this case -- the subject of the
certificate and its subjectAltNames, etc. But i'm OK if we don't agree
on this terminology.
>> One security advantage of the one-key-per-server approach is that it
>> becomes possible to use un-extractable keys, generated in hardware
>> designed to never produce the secret key material.
>
> And how much did that help USERTRUST? Probably somewhat — USERTRUST
> claims the attackers could only sign arbitrary certificates, but not
> exfiltrate the private key. But how much safer do you feel? :)
I was talking about a key used by an end-entity (e.g. the Citibank
webservers). You're talking about a key used by a certificate
authority. I agree that compromise/temporary abuse of a CA's key has
much more lasting effects than compromise/temporary abuse of an EE's key.
I don't see how the recent USERTRUST CA compromise implies a flaw in the
one-key-per-server model for distributed hosting of web services.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110323/f3f5d623/attachment.sig>
More information about the Observatory
mailing list