Most platforms (Windows, zOS, Linux, OSX) allow for deletion of pre-included root certs, if the user has the right authority to do so.
Browsers that package them (Mostly FFox) can be modified, others use the OS version (IE, Safari) - for which the above applies. For custom products which use Certs, well that just depends :) Charles wrote: , that the security is 100% in your hands ^— agreed. The only rub to this is if companies are not prepared to do proper key management and security, could make things worse, but I firmly agree with your assertion. Rob wrote: There are ways that another well known CA can sign a cert that you can then use as a CA for signing / issuing certs... which may be helpful for business to business transactions / connections. As far as I know, the only thing Root CAs (assuming that’s what you mean by “well known”) can do is issue you an Intermediate Certificate Authority, which is non-trivial, very expensive and not easily obtained. Simply because, once issued, the internediate cert allows you the full signing authority of the Root CA - meaning you could use that to go rogue, generate your own bankinyourtown.com<http://bankinyourtown.com> or whatever. The current x.509 / cert system doesn’t delegate well outside the thoroughly “Vetted” Am I missing your point or some other option? And Verisign has a mountain bunker and dedicated staff to keeping their roots safe. Certainly they do - as the grandaddy of them all. It’s the other lesser ones that have had issues in the past, or give me pause. And it helps some that they have active CRLs and OCSP responders. True - but again, this is strictly OPT-in. If the client doesn’t check, or some bad guy blocks the checks, those are more or less useless. Having the onus of actively checking for revocation be on the client is another huge shortcoming of the existing system. Certificate pinning makes this far more paletable, as the client would refuse to connect to all but the certificate that it knows. This is done on the web by HPKP or in apps in various ways. The trust issue is just a trust issue. No more no less. Really no different than trusting a local pharmacy. Amen. There is blockchain PKI. I just started investigating various blockchain related technology. But it may be a way to be less dependent on centralized authorities. This could very well be a great way to solve the problem - I’d like to read more about that. Chad On Jun 22, 2016, at 11:07 AM, Charles Mills <charl...@mcn.org<mailto:charl...@mcn.org>> wrote: Thanks! Agreed. Well, agreed pretty much. Is it the "powers of the Internet" that have blessed these 168 (wow! I didn't realize that many!) CAs or the various browser and OS publishers? There is no ICANN or similar list of trusted CAs, right -- just whatever your browser, OS or ESM ships? Any customer is free (correct me if I am wrong) to delete one or more of these "trusted" root authorities, right? Admittedly the process may be obscure and difficult to manage in an era of BYOD. I kind of got stomped on a couple of weeks ago when I made the assertion you make in your last paragraph, but I still agree. There is nothing magic about Verisign, as much as their advertising would like to make you think there is. If your sole need is internal -- if you are not, for example, talking about "public" browsers connecting to an external Web site -- then there is no reason not to go with an in-house CA. As you say, you can even make the argument that it is MORE secure, or at least, that the security is 100% in your hands. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bigendian Smalls Sent: Wednesday, June 22, 2016 8:46 AM To: IBM-MAIN@LISTSERV.UA.EDU<mailto:IBM-MAIN@listserv.ua.edu> Subject: Re: z/OS OpenSSL, SelfSigned Certs, etc Well said Charles! Slightly OT - It’s also worth noting that while the powers of the internet have seen fit to bless the likes of Verisign and GoDaddy as “trusted” they’ve also blessed quite a few others with more dubious roots. The latest revision of Firefox, for example, has 168 unique trusted root CAs (many which have roots, etc) Exaples such as these (from Mozilla): * Hong Kong Post Office * China Internet Network Information Center * Amazon Any one of which could issue a cert for your site and every browser with some exceptions (HSTS, HPKP, etc) Ultimately it’s up to the individual browsers/OS’s to decide which CA’s they’ll include. But, for internal use (and even some customer use) a properly built private CA (yes that’s self-signed) is as good or better, as you know the origin and can manage the keys properly. Assuming you don’t need the general public to get a happy green bar + Lock on their browser, this is often a great way to go, assuming you manage it properly. And, depending on your needs (e.g. not wanting anyone to be able to spoof you) it might even be better. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
