On Mon, 29 Feb 2016 10:18:01 +0100 Jürgen Brauckmann <[email protected]> wrote:
> Using private PKIs for such stuff isn't risk-free, as software > vendors are confused about the security properties of their root > store. Actually I also thought while reading this thread that I disagree that a private PKI is always a good idea. I generally recommend the opposite. Running a private PKI requires quite a bit of knowledge about certificates and the deployment of roots and can introduce severe risks if you don't take care of your private keys. You avoid all questions about how to deploy it to a diverse device base if you use publicly trusted roots. The problem here imho was a different one: If you deploy devices that you expect to stay around for a longer timeframe always make sure they implement the most modern protocols available. Pretty much *all* SHA1-hassle could've been avoided if people hadn't deployed sub-standard crypto implementations. SHA2-based certificates were available since the 90s. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
pgpXmlpWewtfi.pgp
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
