[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA

Fri Nov 4 18:10:08 PDT 2011

So you accept the criticism but now claim an even higher number of 'CAs'
based on data that you admit that you cannot measure?

And you don't see that you have a credibility problem?

I notice that you made no response on the question of peer review. For the
avoidance of confusion could you either confirm that you have not sought
peer review or state the journal where your paper has been accepted?

On Fri, Nov 4, 2011 at 8:42 PM, Peter Eckersley <pde at eff.org> wrote:

> On Thu, Nov 03, 2011 at 10:16:00PM -0400, Phillip Hallam-Baker wrote:
>
> > If someone is going to claim that there are '650 CAs' then they could at
> > least ask why the DFN root has 200 intermediates chained and if they are
> > actually CAs as being claimed.
> >
>
> Previously I was unsure about whether the real number of CAs was more or
> less
> than 650, though I now believe it is significantly higher, because people
> keep
> telling me they are seeing huge numbers of universally trusted CAs
> operating
> on networks that we haven't been able to scan.
>
> There is, however, an important difference between the number of key
> storage
> systems that could be compromised in such a way that the attacker learns
> the
> private key, and the number of CAs that can be compromised in such a way
> that
> the attacker makes herself a certificate for arbitrary domains like
> mailserver.mycorporation.com.
>
> In the case of the DFN subordinate that we observed beneath Deutsch
> Telekom's
> root, my best estimate is that the private keys for its sub-CAs are
> physically controlled by DFN (ie, only one place you could steal those
> private
> keys from), but what they sign is determined remotely on computers at the
> 200
> institutions named in these CAs (ie, 200 systems you could break into in
> order
> to perform a CA-certified attack on the target of your choice).
>
> https://www.pki.dfn.de/ca-auslagerung/
>
> Funky Google translation from German:
>
> Outsourcing of a CA
>
>  The DFN-PKI provides outsource all users in the German research network
>  allows the tasks of their own certification bodies to the DFN-Verein. The
>  basis for the separation of the technical functions of a certification
>  authority (CA) of the organizational tasks of a Registration Authority
> (RA).
>
>     The DFN-Verein organizes on behalf of the user's certification
> authority.
>     So this is the user any special hardware and software infrastructure
>     necessary and the local staff costs can be significantly reduced
> compared
>     with a non-paged CA.
>
>     The registration authority remains with the user. The services of a
>     registrar (eg verification of identity and authenticity) can DFN-users
> as
>     through existing organizational units such as enrollment offices are
>     provided.
>
>     For the work processes and information exchange between the user and
> the
>     DFN DFN-Verein customized, secure interfaces are provided.
>
> DFN-PKI test
>
> The DFN-PKI test offers the opportunity to familiarize themselves with the
> functioning of ports and try to "playful" way all the steps in an external
> certification authority.
>
> If you have questions about outsourcing your certificate authority, or to
> request the necessary forms, please send an e-mail to pki at dfn.de.
>
>
>

-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111104/45e771f4/attachment.html>