All true I think, except it's openssl on Linux not Windows.
On 8/29/2023 8:46 AM, Charles Mills wrote:
Don't want to get into one of the peeing contests that have become all too
common here.
Let me just say that never mind any enterprise PKI CA constraints, I think Tom
was talking about OpenSSL on a PC. OpenSSL stores private keys -- private keys
-- in a pretty accessible format. If I can get into Tom's PC -- perhaps while
he is at lunch, or with a clever phish -- and get that private key, then I can
generate server certificates for any site in the world and Tom's associates
will trust those certificates.
Not criticizing Tom or his processes here. Just pointing out to readers that there are
some significant risks in general to the approach of "oh, I will just create an ad
hoc CA and have my users trust it." Trusting a CA is implicitly trusting everything
that anyone does with its root private key.
Yes, it is no different in some ways than trusting DigiCert. The difference is
that DigiCert has very rigorous protocols for protecting its root private keys.
OpenSSL does not.
Charles
On Tue, 29 Aug 2023 09:23:16 -0500, Grant Taylor <gtay...@tnetconsulting.net>
wrote:
On 8/29/23 8:31 AM, Charles Mills wrote:
Just being a security PITA here, but that solution makes the security
of their systems subject to whatever safeguards you do or do not put
on yours.
Remember, Certificate Authorities can be constrained. E.g. it's
possible to create an Enterprise Certificate Authority that can only
sign things in the enterprise.example.net domain and nothing outside of
it. Thereby significantly limiting exposure to things outside of the
enterprise.
If I can extract the CA private key from your PC than it is trivial
for me to create a www.chase.com certificate that will be trusted by
their browsers without any question, and mount a man-in-the-middle
attack on their banking.
I question the veracity of that statement.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
