Re: Question on necessity of SSL_CTX_set_client_CA_list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/12/2018 11:48, Michael Ströder wrote:
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
On 05/12/2018 17:59, Viktor Dukhovni wrote:
IIRC Apple's Safari is ending support for EV, and some say that EV
has failed, and are not sorry to see it go.
This is very bad for security.  So far the only real failures have
been:

1. Some cloud provider(s) actively want to reduce all TLS security to
   the anonymous form provided by Let's encrypt, and are doing their worst
   to sabotage EV providing CAs.
Quoting from Peter Gutmann's "Engineering Security",
section "EV Certificates: PKI-me-Harder"

     Indeed, cynics would say that this was exactly the problem that
     certificates and CAs were supposed to solve in the first place, and
     that “high-assurance” certificates are just a way of charging a
     second time for an existing service.

I fully agree with the above and I'm also for removing this crap from
the browser UI.
Peter Gutman, for all his talents, dislikes PKI with a vengeance.

EV is a standard for OV certificates done right.  Which involves more
thorough identity checks, stricter rules for the CAs to follow etc.

The real point of EV certificates is to separate CAs that do a good
job from those that do a more sloppy job, without completely distrusting
the mediocre CA operations.

Due to market forces, the good CAs also offer the weaker certificate
types at a lower price to compete with the mediocre CAs that are aren't
good/thorough enough to do the full job.

The way EV certs are highlighted in Browsers (Green bar etc.) was a way
to create market demand for the higher quality.  They could be indicated
in some other useful way of cause, but the distinguishment between "The
CA did something to check the name and real world address in the
certificate" (OV) versus "The CA checked the name and and real world
address thoroughly in accordance with the higher quality standard" (EV)
is still of some significance.

If you look at that long list of CA roots preinstalled in a typical
browser, only a minority are authorized, trusted and audited to issue
to the higher EV standard.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux