[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimqO4Jt04iFGBLNJXq0LXjWtJttRDjTbTvKudLP@mail.gmail.com>
Date: Sat, 24 Jul 2010 19:10:24 -0400
From: Dan Kaminsky <dan@...para.com>
To: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Expired certificate
> People may neglect to revoke certificates that have become invalid (e.g.
> a personal certificate for someone who has deceased).
>
And what do you think is doing revocation checking?
Hint: Even fewer things than are doing chain validation.
The problem is a conflict between security and convenience.
>
The problem is that we assume that security doesn't have to be convenient.
>
> Ironically, online communication allows a rather elegant solution: you can
> have a hierarchy of certificates starting with short-lived certs for
> routine operation issued online by the lowest level of intermediate CAs
> with each level offering less automation to reduce exposure and longer
> lifetimes to make up for lost convenience.
>
Intermediate certs? You mean those god-mode can-sign-anything certs that
are sold for a pile of money, a wink, and a smile?
>
> Unfortunately, this approach (while being quite feasible from the
> technical POV) appears to be incompatible with the business model of
> existing CAs.
>
Everyone loves blaming the business guys. Nope. When it comes to X.509, we
nerds blew it.If you have got 500 servers that need renewed certificates
then you have.
got 500 server that need patches installed, not to mention other routine
> admin tasks. If you need 8 man hours per server to renew one certificate,
> how many man hours per server do you need to deploy one patch?
>
Windows Update / BigFix, move on with your life.
Many (if not most) CAs let you renew a certificate two or three months
> before its expiration and give you the remaining time back. One who needs
> to renew one certificate every other day can do it once in 2 or 3 months
> in batches of up to 30 or 45 renewals without losing anything.
>
Or, you could just have a small handful of servers with keys and leave the
rest without. Which is precisely what we see.
See, here's the problem: You're all talking about what *could* be the
case. I'm telling what *is* the case. Expiration is one of a number of
serious and genuinely unique operational hazards in X.509. We started this
conversation discussing the situation of a CA gov operator who hadn't rolled
their certs. Some people were surprised.
The reality is, it's amazing there was a cert at all.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists