On 8/29/23 8:31 AM, Charles Mills wrote:
Just being a security PITA here, but that solution makes the security
of their systems subject to whatever safeguards you do or do not put
on yours.
Remember, Certificate Authorities can be constrained. E.g. it's
possible to create an Enterprise Certificate Authority that can only
sign things in the enterprise.example.net domain and nothing outside of
it. Thereby significantly limiting exposure to things outside of the
enterprise.
If I can extract the CA private key from your PC than it is trivial
for me to create a www.chase.com certificate that will be trusted by
their browsers without any question, and mount a man-in-the-middle
attack on their banking.
I question the veracity of that statement.
I can't tell for sure if you are referring to extracting data (possibly
the /public/ key) from communications in flight -or- speaking to the
security of the CA and it's ecosystem by breaching the CA for it's
signing key directly.
There is little difference in breaching an Enterprise CA's signing key
than there is in breaching Verisign's CA signing key. The effective
difference is related to security around the key. The concept is the
same. Just how many fences do you have to get through.
Thankfully, this can be largely mitigated by leveraging things like a
YoubiKey and / or a Trusted Platform Module on the CA system wherein the
YoubiKey / TPM / etc. hold the actual signing certificate and the main
OS connected to them doesn't have access to and can't get access to the
signing key.
This comes down to risk vs reward. One system that must be tightly
secured, possibly operated at physical console, vs many people ignoring
~> defeating certificate security warnings on the regular. Which is the
lesser of the evils / better security posture?
If you are truly worried about the security of an Enterprise CA signing
key, there are commercial solutions that can go a long way towards this.
But this is small potatoes to training users to defeat certificate
warnings.
Grant. . . .
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
