[SSL Observatory] Tangent - coercibility of different authority structures

Phillip Hallam-Baker hallam at gmail.com
Mon Sep 26 07:18:58 PDT 2011 

On Mon, Sep 26, 2011 at 10:00 AM, Ralph Holz <holz at net.in.tum.de> wrote:

> Hi,
>
> I am pulling this from my memory, but I had the pleasure with the local
> RA once when I got myself an S/MIME cert. AFAICR the procedure is that
> they trigger certification via an API, and the client cert is issued
> directly by the CA. I don't know the procedure for WWW certs. What I do
> know is that the guys did not accept my ID of the CS faculty here, but
> rather insisted I show them my passport. That was a higher level of
> certification than I had expected. :)
>

The question that would be of interest is whether that RA had the
theoretical capability to issue for www.cia.gov or if the CA would only
allow it to issue for your university.


> Now the current situation is not acceptable. The CA in question has not
> > responded to my enquires as to what their policy actually is. So it is
>
> Was that DFN? They should reply, but maybe they take that stupid stance
> that they answer to subscribers only. As I am one, I could ask again.


They could reply to my email.



> > entirely possible that they are doing it the stupid way. And this is not
> > a situation that can be allowed to continue.
>
> Which means you would have to unplug Deutsche Telekom. Which Mozilla
> won't do unless you can show them they have misbehaved.
>

Which means that we will have to change the audit requirements so that the
CA is obliged to disclose public issue capability.

Since there is no reason why DFN subscribers would need or want that
capability, I think the probability of getting it agreed is much higher than
you imagine :)



> The real problem is not even disclosure of sub-CAs; it is control over
> them. Host name limitations in the CN/SAN will help here, but only
> briefly I guess.
>
> > But what I take exception to is the jump from an observation that might
> > imply the possibility of 200 CAs to a repeated assertion of fact. The
> > EFF has not attempted to determine whether those 200 certs are
> > independent CAs or merely 200 keys in a single HSM held by the CA. Yet
> > EFF people are repeating the claim as fact and using it to drive a
> > policy discussion.
>
> I agree that the conjecture is not correct.


Yet it is used by a EFF board member as being evidence for a need to replace
the whole CA system.



> Their BR may be a step into the right
> direction, but they're so impossibly worded and boring to read that you
> need to be a really dedicated follower, and even then I am not sure if
> name constraints are in the BR. Actually, I think they are not.


The BR v1.0 is really about the decision to have a minimum requirement. It
is going to be very minimum.

Unfortunately, that type of approach is what is necessary to do that type of
job.


> > My firm belief is that we need to start by making all parties that
> > perform public validation subject to the same audit requirement as a CA.
>
> Audits are not my specialty, but I think IanG will have some words here...


Audits mean almost nothing.

But lack of an audit means that your security policy is completely useless.
Nobody is going to comply with policy without an audit.

So an audit means that it is possible that you are compliant with your
policy.


-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110926/f56b73cc/attachment.html>

More information about the Observatory mailing list