Interesting. Certainly does show that "who do you trust?" is a significant decision. Marking a certificate in RACF as trusted is not just housekeeping; it is a significant security decision. You are not just saying "I need RACF to be able to use this as a CA certificate"; you are saying "this organization is willing to bet its security on the trustworthiness of this certificate."
I think that is why IBM stopped shipping a RACF database with pre-installed CA certificates. IBM does not want to be in the business of making those decisions for you. Also! Let me nitpick myself before someone else does it for me: When I wrote "the CA vouches that the *subject name* in the certificate belongs to Charles Mills" -- that should be "the subject names" (plural) belong to Charles Mills. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Grant Taylor Sent: Monday, August 31, 2020 8:50 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL On 8/31/20 9:34 AM, Charles Mills wrote: > Are CA's perfect? I don't*know* of a CA hack but I do know of (I > should probably say "alleged") CA sloppiness: DigiNotar was compromised: "...it had become clear that a security breach had resulted in the fraudulent issuing of certificates..." Link - DigiNotar - https://en.wikipedia.org/wiki/DigiNotar I believe there have been others in the past. But DigiNotar was one of the most prominent breaches that I remember. I think part of their problem was how they failed to handle the situation. I think Comodo has had problems too. I don't know the circumstances around them. I don't know how much of a problem (if that's the correct term) it is on the mainframe world, but Windows used to trust hundreds of CAs. that means hundreds of entities that could sign certificates for any given subject. A common scapegoat for a popular podcast is that the Hongkong Post can sign certificates for ibm.com or listserv.ua.edu. Any of the multiple hundred Root CAs can do it. CAA records offer some protection for this, but that is no guarantee. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
