[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
Peter Eckersley
pde at eff.org
Fri Nov 4 17:42:11 PDT 2011
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
On Thu, Nov 03, 2011 at 10:16:00PM -0400, Phillip Hallam-Baker wrote:
> If someone is going to claim that there are '650 CAs' then they could at
> least ask why the DFN root has 200 intermediates chained and if they are
> actually CAs as being claimed.
>
Previously I was unsure about whether the real number of CAs was more or less
than 650, though I now believe it is significantly higher, because people keep
telling me they are seeing huge numbers of universally trusted CAs operating
on networks that we haven't been able to scan.
There is, however, an important difference between the number of key storage
systems that could be compromised in such a way that the attacker learns the
private key, and the number of CAs that can be compromised in such a way that
the attacker makes herself a certificate for arbitrary domains like
mailserver.mycorporation.com.
In the case of the DFN subordinate that we observed beneath Deutsch Telekom's
root, my best estimate is that the private keys for its sub-CAs are
physically controlled by DFN (ie, only one place you could steal those private
keys from), but what they sign is determined remotely on computers at the 200
institutions named in these CAs (ie, 200 systems you could break into in order
to perform a CA-certified attack on the target of your choice).
https://www.pki.dfn.de/ca-auslagerung/
Funky Google translation from German:
Outsourcing of a CA
The DFN-PKI provides outsource all users in the German research network
allows the tasks of their own certification bodies to the DFN-Verein. The
basis for the separation of the technical functions of a certification
authority (CA) of the organizational tasks of a Registration Authority (RA).
The DFN-Verein organizes on behalf of the user's certification authority.
So this is the user any special hardware and software infrastructure
necessary and the local staff costs can be significantly reduced compared
with a non-paged CA.
The registration authority remains with the user. The services of a
registrar (eg verification of identity and authenticity) can DFN-users as
through existing organizational units such as enrollment offices are
provided.
For the work processes and information exchange between the user and the
DFN DFN-Verein customized, secure interfaces are provided.
DFN-PKI test
The DFN-PKI test offers the opportunity to familiarize themselves with the
functioning of ports and try to "playful" way all the steps in an external
certification authority.
If you have questions about outsourcing your certificate authority, or to
request the necessary forms, please send an e-mail to pki at dfn.de.
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Observatory
mailing list