[cap-talk] Web introductions, fingerprint service
Tyler Close
tyler.close at gmail.com
Wed Feb 27 20:27:42 EST 2008
On 2/27/08, Jed Donnelley <jed at nersc.gov> wrote:
> On 2/27/2008 3:26 PM, Karp, Alan H wrote:
> > Jed wrote:
> >
> >> Does that seem reasonable to others? Something
> >> like the above seems to me much preferable
> >> to "I'll probably look carefully at their certificate"
> >> which to me provides no real assurance/trust.
> >> What do others think?
> >
> > Unfortunately, big companies use lots of servers, and
> > each one has its own public key.
>
> Is that really true? Even for their entry points?
At the time I wrote the Petname Tool it was true for the big companies
that I did business with, even for their entry points.
This seems like a question we could definitively answer with some
searching. According to a recent article, there are some 813k CA
issued SSL certs in the wild. We could probably fetch most of them and
run them through some analysis software. Anyone know of an easy way to
get the certs, other than just trying port 443 on every IP address?
http://news.netcraft.com/archives/2008/02/17/extended_validation_ssl_certificates_now_1_year_old.html
> I remembered that and have been thinking about that problem
> while writing. That's a serious monkey wrench in the works.
>
> With that policy, it seems that you might be depending on
> the CA not signing more than one certificate for a given
> O=, but of course signing multiple such certificates is
> exactly the purpose. This seems to me to make the
> protection rather thin.
The Petname Tool also uses the geographic location information, along
with the O and the CA to identify the end entity. For sites that
choose to use the public CAs, I think that's the best we can do. The
sad reality is that today, your bank doesn't have a cryptographic
identity under its sole control. Instead, it hangs its identity off of
a public CA's. The best we can do is bind our petname to the entity's
chosen 'secure' identifier. We can't force it to adopt a more secure
identifier.
--Tyler
--
Use web-keys for RESTful access-control:
http://waterken.sourceforge.net/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/
More information about the cap-talk
mailing list