Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Ralph Holz <holz@net.in.tum.de> Fri, 27 December 2013 10:06 UTC

Return-Path: <holz@net.in.tum.de>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4341AE0CA for <therightkey@ietfa.amsl.com>; Fri, 27 Dec 2013 02:06:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.15
X-Spam-Level: *
X-Spam-Status: No, score=1.15 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJ97tmUdhlPS for <therightkey@ietfa.amsl.com>; Fri, 27 Dec 2013 02:06:32 -0800 (PST)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4E11AE0D0 for <therightkey@ietf.org>; Fri, 27 Dec 2013 02:06:31 -0800 (PST)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id DDCA280958; Fri, 27 Dec 2013 11:06:25 +0100 (CET)
Received: from [151.217.237.103] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id C02EA80916; Fri, 27 Dec 2013 11:06:23 +0100 (CET)
Message-ID: <52BD511F.4040005@net.in.tum.de>
Date: Fri, 27 Dec 2013 11:06:23 +0100
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: therightkey@ietf.org, schoen@eff.org
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net>
In-Reply-To: <52B88104.9040607@appelbaum.net>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.97.8 at ex6
X-Virus-Status: Clean
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2013 10:06:34 -0000

Hi,

[The EFF's count]

>> You can't calculate the number of CAs the way the EFF tried to. An
>> intermediate certificate does not equate to a CA. Pretending it does to
>> peddle an alternative PKI scheme calls into question their veracity.
>>
> 
> I disagree strongly. I have an intermediate certificate. I am as
> powerful CA as a result.
> Please also see these estimates which are even higher:
> 
> https://zakird.com/slides/durumeric-https-imc13.pdf
> 
> "Identified 1,832 CA certificates  belonging to 683 organizations"
> "311 (45%) of the organizations were provided certificates by
> German National Research and Education Network (DFN) "

I was there at IMC and spoke with Zakir. He was not aware of the fact
that the private keys to all the intermediate certificates are held by
the central DFN Verein, not the RAs themselves. In the case of DFN, the
intermediate certs only identify the RAs. The RAs do not carry signing
power.

It is the same at TUM, where I work, BTW.

Ralph

-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF