[Cryptography] Certificates and PKI

Tom Mitchell mitch at niftyegg.com
Mon Dec 29 22:52:31 EST 2014 

On Tue, Dec 23, 2014 at 3:15 AM, Ben Laurie <ben at links.org> wrote:

> On 22 December 2014 at 17:11, Ray Dillinger <bear at sonic.net> wrote:

> On 12/22/2014 05:32 AM, Ben Laurie wrote:

>

>> Pinning does indeed not care who signed the certificate. However, it

>> introduces an apparently insurmountable problem: what happens when you

>> lose your key?

.....
> lost business you incur because you failed to keep it confidential,
> is part of the cost of doing business.

How do I publicise that my blog has a new certificate?

> This kind of announcement to the attention of actual consumers
> rather than all behind the scenes and invisible, is how the CA
> business should have worked from the start.


A blog is an interesting case.  You can publish a personal key (public half)
independent of the web site.  This can add some additional measure
of credibility that you are you.   In a blog footer you can link to other
blogs or other sites you trust and ask people to add your key to a keyring.
You can attach a new signed image or something with each post.

A web site with a single key that they are not in full control of is at risk
for some class of problems that can only be addressed with additional
secured content.

More than anything you can watch (and should watch) your own web site
(content) and the
associated https key for changes.   It also makes sense to keep a local
backup of your blog and watch
for changes you do not expect.

Web hosting companies might do well to have a page of "staff public keys"
 that customers
should save on their key ring or in a local file same for the big sites.
 i.e. keys that
are locked in a vault, not on line and not hackable to be used to untangle
serious FUBAR.
This needs a well considered process document to work but as we can see from
Sony big hacks are real and cleaning up after the attack is difficult.
Easy to walk down the hall but crosstown and beyond gets harder and harder.









-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141229/042c4506/attachment.html>

More information about the cryptography mailing list