Search squid archive

Re: What's the best way to ban Let's encrypt based certificates? or whitelist a very narrow list of Root and Intermediates CA?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



OK so,

Every Root CA have differ level of certification.
For example there are Root CA's which are allowed to sign only for encryption
...and basic domain ownership validation which can be verified against a Domain Regristrar.
Compared to this there are couple other level's of Certificates like what is name "EV" (the one of banks and such critical ORG's).
Let's encrypt brings to domain ownership the ability to being verified as the domain owner or it's proxy.

The Root CA that the bank of America uses has the license to offer not only encryption but also:
* Ensures the identity of a remote computer
* Proves your identity to a remote computer
* Protects e-mail messages
* Ensures software came from software publisher
* Protects software from alteration after publication
* Allows data to be signed with the current time

Compared to Let's encrypt that is an intermediate CA with the next license:
* Protects e-mail messages
* Ensures the identity of a remote computer
* Proves your identity to a remote computer
* Allows data to be signed with the current time
* Allows data on disk to be encrypted
* 2.23.140.1.2.1
* 1.3.6.1.4.1.44947.1.1.1
* Document Signing

Which doesn't includes:
* Ensures software came from software publisher

Which is critical for ISO bounded web services.

In another words:
If the certificate is not EV ie the name of the corporation or business it means that it's not ISO compliance regarding
paying using a credit/visa/other card.

So if you are going to pay to someone over the Internet only pay if you know and validated the identity of the owner and\or orginzation.
This concept was introduced to prevent phishing and other things.
One of the exception I have seen is Paypal main site which does have EV named license/certificate but the name is not embedded into the certificate so I prefer not to buy in this specific site but buy locally.

All The Bests,
Eliezer

* For others paypal might be good enough... 

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx



-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Andrea Venturoli
Sent: Monday, January 21, 2019 10:51
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  What's the best way to ban Let's encrypt based certificates? or whitelist a very narrow list of Root and Intermediates CA?

On 1/20/19 11:02 PM, Eliezer Croitoru wrote:

> The issue is that these sites are encrypted but do not offer any way 
> of assuring real ISO and couple other compatibilities of the ORG.
> 
> For a simple home user it’s fine most of the time but for some it’s not.

Just out of curiosity, could you better explain this?
Pointer are enough if you prefer.

  bye & Thanks
	av.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux