[Operators] SSL certificates / private CAs / CACert issue

Claudiu Curcă claudiu at coderollers.com
Sun Dec 16 23:23:58 UTC 2012


Hello Peter,

It seems that I cannot persuade you off this road.

I agree that the current state of CAs and the infrastructure has reached its maximum "scale" and a revolution is needed in this area. There are quite a few proposals around, which I won't go into detail about, but which are not adopted because "the current system is bad, but still works". It's pretty much like the IPv4 vs IPv6 debate. However, If you believe that the answer to this is that everyone's and their dog's CA should be trusted by everyone else and their cats, then I rest my case. This is akin to anarchy, and even though all government forms and ideologies are flawed, anarchy will never be the answer.

I wish you good luck in your quest.

Claudiu

-----Original Message-----
From: operators-bounces at xmpp.org [mailto:operators-bounces at xmpp.org] On Behalf Of Peter Viskup
Sent: luni, 17 decembrie 2012 0:14
To: operators at xmpp.org; ejabberd at jabber.ru
Subject: Re: [Operators] SSL certificates / private CAs / CACert issue

I do understand the role of SSL and CAs well.
Let me share some words of one of the CACerts people (from the mailing thread I post in the beginning):
"One of the problems with CAcert: They sign certificates without any
  assurance of the issuer - the same, what StartCom does for class 1
  certificates, but StartCom is usually trusted by all major web browsers.
  If CAcert would offer certificate signing *only* for assured members,
  this would already improve security and trustworthyness, since then you
  can be sure, that a CAcert signed certificate is issued by a *known*
  person and not just by someone who has control over the mail server of a
  domain."

I do understand that list of trusted CAs could lead to "higher" 
security, but if we (XMPP operators) do accept CACert or StartCom then there could be no issue with accepting other CAs. What rules were followed by accepting these CAs?

The other case is:
you told I am ignorant because I do not follow some standard security advises and using our own CA for SSL/TLS on our public services. I fully agree with the security standard and best-practices, but question is - how many servers do use certificates which are not signed by trusted CA in XMPP (or SMTP) world. And if the number is higher than 1-10-20-40-100-1000-Idon'tknowhowmany - aren't you the ignorant of the reality?
This is the reason of the discussion - recognize how many servers are using such certificates and/or certificates of CACert or other low-cost/problematic CAs (StartCom, [compromised] Verisign?,[compromised] whatever-else).
...and to come with some consensus regarding this issues on the end.

Anyway the CA world in general is in crisis and there are many voices calling for something which will solve all SPOFs in this design. This is another grey point on the CA design which should be taken in mind.

These are links to both threads:
[1] ejabberd
http://lists.jabber.ru/pipermail/ejabberd/2012-December/007894.html
[2] XMPP operators
http://mail.jabber.org/pipermail/operators/2012-December/001528.html

--
Peter Viskup






More information about the Operators mailing list