| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: yossarian at planet.nl (yossarian) Subject: PGP vs. certificate from Verisign ----- Original Message ----- From: "Shawn McMahon" <smcmahon@....com> To: <full-disclosure@...ts.netsys.com> Sent: Monday, May 12, 2003 1:09 AM Subject: Re: [Full-Disclosure] PGP vs. certificate from Verisign Yossarian wrote >> What I wonder - will Verisign have set up CRL servers yet? Remember the IE >> problem when someone got hold of MS certificates? The MS-fix was >> blacklisting them locally, the real problem was that there was no revocation >> servers. Then again, how many concurrent connections would they get if MS >> sent out a critical update? > >> So - stick to PGP - forget about PKI. Shawn wrote: >Pardon me if a clue whizzed by while I was working, but I read this as >"PKI doesn't have any way to guarantee ad-hoc revocation of a >certificate, so stick to PGP, which also doesn't have any way to >guarantee ad-hoc revocation of a certificate". Well, other arguments have come along in this discussion, such as the legalities, but they don't appy in all countries. But most of Europe and US, though. If you don't need revocation, a class 1 might do. It does not really matter wether it is ad hoc, if you need a revocation, it probably needs to be soon. There are some other arguments - and now some people might not agree - I think i might give just a few: X.509 is not a single standard. v3 is the current, but as Peter Guttman explains in length, there are more than a dozen official subtypes. Different subtypes and implementations usually can not cooperate. The v3 standard incidentally has expired - what is next? Of course if we all use Verisign, their cert will be the de facto standard. Many other companies have stepped out of PKI anyway. Which makes this problem worse, in a way - there is much less effort in the further development. PKI gives a sense of security, but it is not (yet) adequate to lower your defences - who do you trust? Maybe the CA has good policies, and maybe the auditing by some accounting firm (KPMG, CGEY, etc.) is good, but all you can do here is believe or not believe them - the reports are just paper. There are quality standards, like ETSI 101 456 - but how clear are they? Maybe to you - read them first and try to see its impact. Then look at the auditors making these reports - what is the skill level and what are the commercial interests? (KPMG has invested heavily in PKI, to become a CA) What the MS incident proved is that Verisign gave certs to people pretending to represent MS.... So do you trust the CA or its accountant? And what is the impact of cross certifications - i.e. when a company buys software from RSA it can make its own certificates, that are co-signed by RSA. How trustworthy is this company? So, how good are these certificates? What does a cert prove (the traditional which John Doe question) about the 'other' end of communication? Where and how do you store your private keys? Testing showed that it can be found and retrieved from your harddisk, so it has to be on a smartcard at least. Do you have one? Do the people you are communicating with have one? The same goes for PGP - but again there is no legal risk. The free certificates from Thawte are to build a web of trust yourself, just like PGP. With some nasty things - the Notaries. These can 'verify' the validity of someone's certificate. But how to become one? Pay $25 and fax or mail copies of a passport. Well, now I wonder - how then do they check wether these copies have not been falsified? So I guess this not what the Versign PKI is all about - but some completely different. Well, there is more, but then this will become a real lengthy argument. yossarian
Powered by blists - more mailing lists