Re: [therightkey] RA vs CA
Phillip Hallam-Baker <hallam@gmail.com> Wed, 08 January 2014 19:29 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com
(Postfix) with ESMTP id A7E3B1AE114 for <therightkey@ietfa.amsl.com>;
Wed, 8 Jan 2014 11:29:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No,
score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DeXi_Gtt3y59 for
<therightkey@ietfa.amsl.com>; Wed, 8 Jan 2014 11:29:24 -0800 (PST)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com
[IPv6:2a00:1450:4010:c04::231]) by ietfa.amsl.com (Postfix) with ESMTP id
21DEC1ADFCB for <therightkey@ietf.org>; Wed, 8 Jan 2014 11:29:20 -0800 (PST)
Received: by mail-lb0-f177.google.com with SMTP id q8so1617672lbi.36 for
<therightkey@ietf.org>; Wed, 08 Jan 2014 11:29:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:cc:content-type; bh=DlDTYMnGxBEL4amb4qd0AEha0vIsZ3eF6WlK+o9G7h8=;
b=Z+PCQQZHOIBWimjLGjsRh68cOHL5XNfyCrWpVxzqjBPDMiIyN9WdExtc1FCTxmYA99
uXL5kiUtSoLS5s9v1w3PrdS+wQVn2AVVWL1hh7CnxG7/4TpzDY9Jqjr2o3pqZIJWbaqt
NPN2ELObkdxZsDzlF3i4f1UtbkTsJh1pTZ4kkAdYqtwsi1NeXHx+6MMP7A6YG8AByVaO
T+vL+CLNynzypiWhpUv389qPm7gVjQRQzUzxhlNibYiciJUl6FoaitL1fziNe39mbCnY
W8mtzgDq19f2bPxU+9MwNeBwa3+gv+tC6zMsPFE8uv34veUMScB2V+egnxO1BPe4O5VA 73zg==
MIME-Version: 1.0
X-Received: by 10.152.1.197 with SMTP id 5mr50469219lao.0.1389209351092;
Wed, 08 Jan 2014 11:29:11 -0800 (PST)
Received: by 10.112.37.172 with HTTP; Wed, 8 Jan 2014 11:29:11 -0800 (PST)
In-Reply-To: <CABrd9SRDArFhJwTsJKoOaqnpW5-mShLYXsybbNROgkPSgfEh5Q@mail.gmail.com>
References: <CABrd9SRDArFhJwTsJKoOaqnpW5-mShLYXsybbNROgkPSgfEh5Q@mail.gmail.com>
Date: Wed, 8 Jan 2014 14:29:11 -0500
Message-ID: <CAMm+LwgsAzM8FYGBzAK0JN-_5sdyaRS1KBsRnMbV8kxGXQUKHQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Ben Laurie <benl@google.com>
Content-Type: multipart/alternative; boundary=089e0112bfcee400d904ef7a81e1
Cc: Ralph Holz <holz@net.in.tum.de>,
"therightkey@ietf.org" <therightkey@ietf.org>,
Seth David Schoen <schoen@eff.org>
Subject: Re: [therightkey] RA vs CA
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>,
<mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>,
<mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 19:29:26 -0000
There is a problem here with the conventional nomenclature. The term CA can mean the legal entity or the machine in control of the private key. As with the original RSA paper that asserted Alice is a Turing machine, this is a problem. The EFF study conflates the term RA with issue under an intermediate certificate, the two are completely separate. There are plenty of examples of an RA that issues directly under the CA root and there are plenty of examples where a CA manages an intermediate root directly. The best definition of the RA function is that the RA is responsible for authorizing issue of certificates. But authorization from the RA is only a necessary condition, it is not necessarily sufficient. In the WebPKI an affiliate or enterprise customer may run an RA, but the CA is now required to perform certain validation functions directly. Since you probably don't want to have the validation taking place in the room with the private key the logical arrangement is again a RA. On Wed, Jan 8, 2014 at 1:30 PM, Ben Laurie <benl@google.com> wrote: > On 27 December 2013 10:06, Ralph Holz <holz@net.in.tum.de> wrote: > > Hi, > > > > [The EFF's count] > > > >>> You can't calculate the number of CAs the way the EFF tried to. An > >>> intermediate certificate does not equate to a CA. Pretending it does to > >>> peddle an alternative PKI scheme calls into question their veracity. > >>> > >> > >> I disagree strongly. I have an intermediate certificate. I am as > >> powerful CA as a result. > >> Please also see these estimates which are even higher: > >> > >> https://zakird.com/slides/durumeric-https-imc13.pdf > >> > >> "Identified 1,832 CA certificates belonging to 683 organizations" > >> "311 (45%) of the organizations were provided certificates by > >> German National Research and Education Network (DFN) " > > > > I was there at IMC and spoke with Zakir. He was not aware of the fact > > that the private keys to all the intermediate certificates are held by > > the central DFN Verein, not the RAs themselves. In the case of DFN, the > > intermediate certs only identify the RAs. The RAs do not carry signing > > power. > > What is the function of an RA, then, if not to tell a CA "sign this"? > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > -- Website: http://hallambaker.com/
- [therightkey] RA vs CA Ben Laurie
- Re: [therightkey] RA vs CA Jeremy Rowley
- Re: [therightkey] RA vs CA Jeremy Rowley
- Re: [therightkey] RA vs CA Ralph Holz
- Re: [therightkey] RA vs CA Phillip Hallam-Baker