On Mon, Feb 29, 2016 at 4:18 AM, Jürgen Brauckmann <[email protected]> wrote:
> Peter Gutmann schrieb: > >> Wouldn't it be easier to issue their own certs (or roll out equipment >> which >> relies on WorldPay certs), at which point they could follow their own >> policies? Their problem is that their (inexplicable) use of a public CA >> for a >> private PKI has meant they're now being held hostage to the CAB forum's >> cert >> policy. >> > > Using private PKIs for such stuff isn't risk-free, as software vendors are > confused about the security properties of their root store. > > Nice example from the consumer electronics world: Android >= 4.4 is quite > resistant against private PKIs. You cannot import your own/your corporate > private Root CAs for Openvpn- or Wifi access point security without getting > persistent, nasty, user-confusing warning messages: "A third party is > capable of monitoring your network activity". > > > http://www.howtogeek.com/198811/ask-htg-whats-the-deal-with-androids-persistent-network-may-be-monitored-warning/ > This is a really good point. Running a CA with high assurance is not trivial, so I'm not especially excited about having a new PKI for every non-Web use case. In addition, there is a legitimate interoperability problems. From what I understand of the payment ecosystem, terminals and the servers they talk to are manufactured by different manufacturers. So there's a need for a non-empty intersection between the set of CAs that terminals trust and the set of CAs that servers use. It seems likely that this issue will come up in other use cases as well. --Richard > Regards, > Jürgen > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
