A mighty fortress is our PKI

Perry E. Metzger perry at piermont.com
Mon Jul 26 22:25:40 EDT 2010 

On Tue, 27 Jul 2010 01:14:21 +0000 (UTC) Jay Sakata
<jay at edgecast.com> wrote:
> I was very interested to read Peter's analysis of shared SAN
> certificates. While we offer dedicated certificates, the shared
> certificates we offer enable us to conserve IPv4 space while
> helping customers lower costs. We've tested and analyzed these
> shared certificates extensively and in a wide variety of scenarios,
> and we believe they are just as secure as dedicated certificates.

I think that you may be right -- the entire TLS PKI model may be so
horribly broken that, once you no longer have any real security to
speak of, simply sharing a cert among hundreds of trust domains hardly
harms anything further. All major browsers already trust CAs that have
virtually no security to speak of, and for the most part a certificate
only indicates that the CA had reason to believe that someone was in
possession of sufficient funds to pay it for it.

However, I suspect this is not what you meant here.

> And helping our customers manage costs is good corporate
> citizenship. But we will absolutely not compromise security in the
> pursuit of either of these goals; our customers' security is
> paramount.
>
> Of course, security is a journey and not a destination, and we are
> constantly striving to further improve ours.
[...]
> A more secure Internet is in everyone's best interest, and I always
> stand ready to make sure we are doing our part.

[rest elided]

I find it gratifying that my mailing list has gained sufficient public
importance that not one but two technology executives have made the
effort within 48 hours to join it so that they can state their
opinion on the issue that Peter Gutmann raised.

I find it less gratifying, however, when those messages do not focus
on clear discussion of technical merits. This is, after all, a
technical mailing list, intended for technologists to speak clearly,
openly and precisely with each other.

In reading your note, I was reminded of George Orwell's excellent
essay "Politics and the English Language":

   http://www.mtholyoke.edu/acad/intrel/orwell46.htm

If you have not read it, I strongly urge that you do so.


Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list