Ben,
Ben Bucksch wrote:
Our CAs would not be allowed to do that. It's fairly trivial to keep the
whole list.
It's not going to grew over a Gigabyte, any MySQL could do that.
Including the replication to have it redundant.
Certainly it's trivial, but not inexpensive especially on large scales.
And currently it just isn't guaranteed to happen in most CAs. It
certainly should be allowed to a degree. I think many CAs will keep the
serial numbers of expired certs on their CRLs for a few years after
expiration. But I don't think most do that indefinitely.
One big problem is that there is currently no way to tell which CAs do
and do not.
The warning, in turn, ensures that you cannot just walk to *any* CA,
without any connection to the victim site, and get a valid cert. It
*has* to be signed by the private key, which means the attacker *has*
to break into my systems.
You could also solve that problem by having only one trusted root, or
having roots that use name constraints. Then everybody would have only
one CA they could go to.
No. If that one CA then doesn't do a decent job, makes an error, that's
no help either.
If that happens, then you could stop trusting it, and replace it with
another root that does a better job.
But overall I think it's better to have a system with multiple roots and
ovelapping name spaces to maintain competition. However it definitely
reduces security - the more roots we have, the more difficult it is to
trust them all. That's why audits become even more important.
If you assume that users ignore and override all warnings, we are
already screwed with the current system, because the user can also
override a self-signed cert. Yet, that warning is now a serious stopgap
for attackers of a bank. And it definitely helps security-conscious users.
Well, I do consider that a serious problem - most users don't understand
PKI, and probably have no business overriding any self signed cert warning.
What I am thinking of (which I think is different from that patent) is
that we attach something to the end (or beginning) of the binary blob
that is the cert, in a way that it treated as garbage by older browsers.
Unfortunately, that wouldn't be possible, because it would violate the
existing ASN.1 definition of the signed certificate. There is no
optional field where you could fit a second signature.
In any case, you can just get a second certificate with the same public
key from another CA if you need that ability. It doesn't have to be in
the same unique cert.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
