Hi,
I stumbled across this service by StartCom:
https://startssl.com/StartPKI (archive link: https://archive.is/GRkAK)
I got a bit afraid when looking at their nice screenshots
(https://archive.is/GRkAK#75%), because they offer intermediate
certificates for companies allowing them to issue certificates by
themself.
So I checked their site to find out what this is about.
The certs are "Trusted by all browsers"
(https://archive.is/GRkAK#selection-419.0-419.23).
So I thought in this case they (StartCom) need to control the process,
especially as they allow EV certs to be issued.
However here is what they state on their website: "StartPKI, let you
control your SSL certificate life cycle management by yourself, not by
the CA!" (https://archive.is/GRkAK#selection-517.0-517.96)
This does rather sound as if the company would have a web interface
where they can issue certificates like they want...
So I thought they at least keep the private key on their servers/HSMs.
However they mention "FIPS 140 Luna G5 HSM Secured" under "Setup your
name issuing CA" (https://archive.is/GRkAK#selection-619.0-631.24), so
does this indicate the companies have to setup a HSM? If so, for what if
it is not the private key of the intermediate?
On the other hand they say it you need no "No PKI infrastructure
Investment" (https://archive.is/GRkAK#selection-449.0-449.32), but the
"All controlled by yourself"
(https://archive.is/GRkAK#selection-673.0-673.26) is not a very
appeasing statement when it comes to who can issue certificates.
Also they say you can "Issue certificates instantly"
(https://archive.is/GRkAK#selection-425.0-425.28) (for free) I am
wondering how this can work for EV certificates.
On their news page (https://startssl.com/NewsDetails?date=20160428) they
say the intermediate CA is "for the exclusive use of the verified
organization". But how can they enforce this?
At least they say that "the intermediate CA will be provided by
StartCom's [...] infrastructure", so it seems they keep the intermediate
themself.
So at least they keep the private key. However this still does not
answer the question how they control the certificates issued by this
intermediate - especially when it comes to EV certificates.
It is also unclear what kind of verification is made when a company
issues a certificate with their own intermediate.
Also note that there is a difference to StartResell. On their hompage
(https://startssl.com/NewsDetails?date=20160530) they also state, that
resellers have their own intermediate certificate.
However there they seem to do the verification by themself and "charge
the end user identity validation". This obviously does not happen for
StartPKI...
As StartPKI is "Ready to use in 3 days"
(https://archive.is/GRkAK#selection-413.0-413.22) I doubt that they can
trust all companies they issue intermediates for to do sane
verification.
The service is all in all quite questionable and statements like "All
controlled by yourself" are horrible to hear. I hope this statement is
just wrong and they somehow keep control.
Best regards,
rugk
--
I offer PGP support. To send me a PGP-encrypted mail, please ask for my
private mail address.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
