North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Does your Certifying Authority have a clue who you are? Do they care?
So, an interesting thing happened to me yesterday. I run OpenBSD's https.openbsd.org site. Of course, we have an SSL Site certificate for this site. When we first started the site, (about 6 years ago) we got a site certificate from Thawte. Back in these days they were based in South Africa, and had a Canadian Legal firm to verify who we were. So of course, Theo had to fax them some stuff, as did I. etc. etc. The whole process was rather painful, particularly since "OpenBSD" isn't a company, so we couldn't exactly send incorporation documents and the like. Nevertheless, supposedly this is to provide some sort of protection for people - that "OpenBSD" really is who it claims to be. So, time comes to renew the certificate again, and give Thawte their bi-yearly sum to keep our server cert alive. Every other year, the renewal process has been automatic, They already have our documentation on file so presumably they can and do check this. This year, they know nothing, They have been bought by verisign and they want new documentation. The conversation went something like this: <"What happened to our previously sent documentation?" >"It's in a warehouse in Canada, because we changed how we do things" <"Why can't you get it from there - We're a multinational volunteer organization, coming up with any sort of stuff like this is a pain" >"Well, we can't". <"So you've lost it?" >"No, we know where it is, it's in the Warehouse" <"Well, you can't get it because you don't know where it is in the Warehouse" >"Yes, so what can you send us?" <"Are you going to get the documents from Canada?" >"Yes, but we're not sure when or how?" So the long and the short of it is, our CA has *LOST* the documents showing who we are, and wants new ones. Had someone previously filed fraudulent documents to obtain an ssl certificate, they wouldn't have copies of those. So, the real question is, what good does it do to send supporting documentation to these services, if all they do is lose them? Is this really providing anyone with any security, or is this really just a thinly veiled revenue generation procedure. If they can't even produce the documentation used to support a certificate they've issued, then why the heck ask for, and charge money for this in the first place? Of course my certificate is good for X years, not to protect me from my cert being exposed, but just to get more money after X years. Certificate revocation? Who actually uses that, for real, in a manner that any widespread public apps (i.e. web browsers) will pay attention to? Needless to say, any real confidence I (used to) have in Thawte (back when it made Mark Shuttleworth enough money to buy a ride on the space station) is really no more. (And no, I never really did have any confidence in https, because of the human engineering issues) Anyway, we got a new cert from a provider that only cares about domain ownership, which works fine. The real question is, between the fact that the web browsers makes it so easy for knuckle dragging apes to accept any certificate out there anyway, and if the CA's aren't doing anything to speak of with the "Supporting Documentation", Who are we kidding that there's any real point (security wise) to this exercise? Time for a new protocol that just stores the public key the first time like SSH, and the user maintains their own list? Really, is that any less secure than this ongoing nonsense from a practical perspective? (Other than there's no way for CA's to make money off of it?) -Bob