Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Ralph Holz <holz@net.in.tum.de> Tue, 17 December 2013 10:40 UTC

Return-Path: <holz@net.in.tum.de>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC6B1AE15A for <therightkey@ietfa.amsl.com>; Tue, 17 Dec 2013 02:40:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.15
X-Spam-Level:
X-Spam-Status: No, score=-0.15 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MkfejQouoyyy for <therightkey@ietfa.amsl.com>; Tue, 17 Dec 2013 02:40:19 -0800 (PST)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by ietfa.amsl.com (Postfix) with ESMTP id 61D161AE142 for <therightkey@ietf.org>; Tue, 17 Dec 2013 02:40:19 -0800 (PST)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 703DE8054D; Tue, 17 Dec 2013 11:40:17 +0100 (CET)
Received: from [131.159.197.236] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id 596BB8050A for <therightkey@ietf.org>; Tue, 17 Dec 2013 11:40:16 +0100 (CET)
Message-ID: <52B02A10.1040403@net.in.tum.de>
Date: Tue, 17 Dec 2013 11:40:16 +0100
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: therightkey@ietf.org
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <D0008C27-16EE-41F9-954E-CA51536CD1F0@mnt.se>
In-Reply-To: <D0008C27-16EE-41F9-954E-CA51536CD1F0@mnt.se>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.97.8 at ex6
X-Virus-Status: Clean
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Dec 2013 10:40:21 -0000

Hi,

> yep, DFN is a 'private' sub-CA under tight control but it could still be
> attacked the way diginotar was and though I believe their secuity is a
> lot better than their less fortunate Dutch cousins, a successful attack
> would be just as bad.

That is true for any CA, sub-* or not. The important point is where the
private key is kept.

In the case of the DFN, the 'many subCAs' are actually RAs without
signing capacity. I'd be much more worried about some resellers of the
very popular CAs. Anyone remember Comodo's InstantSSL reseller?

Ralph

-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF