Even if your browser was personally installed by the Pope, you still
have the same problem.
First, the self signed root certificates included in every machine
generally don't represent any duly constituted public authority. They're
typically the product of companies that can be bought and sold, and have
been bought and sold, sometimes by some iffy new owners. We should all
be thankful that the recent acquiror of GeoTrust wasn't a front for the
Russian mafia. There are no assurances that won't happen in the future,
it would be a perfectly legal transaction. Imagine XYZ Enterprises
purchasing the birth and death records department, the building
inspections department, the health inspection department at your city
hall. In this online space we inhabit, that's the way it's done. There
is only one source of duly constituted public authority that I know of
that is seriously trying to do something about the situation.
Second, the certifications themselves are typically meaningless. If you
have a phone line you can get that lock icon on your site. You don't
have to sign personally. You don't have to demonstrate that you're
anything but a career criminal. All they need to know is that their
robot can place a call to the phone number you gave, and that you can
type a control number from a browser into a phone keypad. Imagine a
world where building permits were signed by bunch_of_architects.com,
structural_engineers_r_us.com and building_inspectors.com instead of
licensed professionals - individual human beings - who could be held
accountable for their work. Yep, that's our online world. The result is
the urban slum that is the Internet. (See my sig for a view of how this
has affected the world.)
Third, as you point out, there is no standard by which identity is
established in the RA (registration authority) process. I suggest that
even with private meetings and USB sticks, you can still only trust a
universe that is as big as your collegial group, maybe two or three
relationships removed from yourself as long as no serious money is
involved. Tabelio is the only thing I know of that tries to remedy this
situation by issuing a truly reliable universal ID credential while at
the same time fully protecting individual privacy (full disclosure: I am
involved with Tabelio).
SSL is great. It's time to connect it to the real world using methods
and procedures that have been working well for thousands of years.
Alain Damiral wrote:
"Registers the CA as a trusted authority (how?)"
Yes, that is the entry point into the trust model. A client can only
trust you as much as he trusts the way he got the certificate of the
CA that certified you. So private meetings and USB sticks are usually
a decent way to go I believe.
This indeed means that if you downloaded your web browser from a dodgy
source (and the Internet is dodgy) in theory you can't really trust
the CA certificates that were delivered with it :)
Dave Pawson wrote:
I'm trying to get my head round a basic setup.
I want to use ssl between a java client and IIS server,
I'm happy with a self certification system, i.e. not using Thawte etc.
since it is currently only a two terminal setup.
From what I've read to date, openssl seems to fit the bill. I hope so.
Please correct me if I'm wrong.
1. 'me' as CA
Generate a key pair and 'self sign' it.
2. Endpoint A (client)
Generate a certificate request
send it to CA
CA signs it and returns a certificate.
3. Endpoint B (server/recipient of REST service)
Registers the CA as a trusted authority (how?)
'Has access' to the private key of the CA (the server and CA are
in reality one and the same organisation)
4. The client encrypts using the public key returned by the CA
5. The server decrypts using the private key.
1. Is this logic OK.
2., I've used the ca.pl scripts so far which seem to handle most
of what I'm after.
I'm basing it on
http://www.mobilefish.com/developer/openssl/openssl_quickguide_create_ca.html
How easy is it to translate this into what I want please?
3. Is openssl the right tool for this scenario?
regards
--
Wes Kussmaul
CIO
The Village Group
738 Main Street
Waltham, MA 02451
781-647-7178
My uncle likes to say that the world’s biggest troubles started when the serpent said, “Try this fruit, and by the way if a bunch of people collectively calling themselves Arthur Andersen signs something it’s the same as if a person named Arthur Andersen signed it.” I don’t get the serpent and fruit part. Must be some Swiss mythology thing. He can be a bit obscure.
P.K. Iggy
_How I Like Fixed The Internet_
(Tales from the Great Infodepression of 2009
and the prosperity that followed)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
