[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
Matthias Hunstock
matthias.hunstock at tu-ilmenau.de
Fri Nov 4 19:34:20 PDT 2011
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Am 05.11.2011 01:42, schrieb Peter Eckersley:
> In the case of the DFN subordinate that we observed beneath Deutsch Telekom's
> root, my best estimate is that the private keys for its sub-CAs are
> physically controlled by DFN (ie, only one place you could steal those private
> keys from), but what they sign is determined remotely on computers at the 200
> institutions named in these CAs
It is not "determined" remotely what is being signed. A computer at one
of the institutions can only "request" something to be signed, but of
course there are controls in place. Among other things the certificate
requests are filtered against a per-institution domain whitelist, where
new entries are manually approved by DFN.
So there is hardly any difference to a simple, paying customer of any
commercial CA from a security point of view.
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Observatory
mailing list