| 1 |
Fernando Rodriguez <frodriguez.developer@×××××××.com> writes: |
| 2 |
|
| 3 |
> On Sunday, September 06, 2015 4:29:25 PM lee wrote: |
| 4 |
|
| 5 |
> [...] |
| 6 |
>> |
| 7 |
>> When creating the certificate, I have used the fqdn the host does |
| 8 |
>> actually have and knows itself by (because I needed to fill in the |
| 9 |
>> fields, and it seemed most reasonable to use the actual host name). |
| 10 |
>> |
| 11 |
>> That this host can be reached at all, via different fqdns and IPs, is a |
| 12 |
>> matter of network traffic (re-)direction and of how the DNS-entries |
| 13 |
>> currently happen to be. They are all transparent and irrelevant to the |
| 14 |
>> user/client and subject to change. Why should they matter for a |
| 15 |
>> certificate which is supposed to let me figure out whether I'm |
| 16 |
>> connecting to the host I'm expecting to connect to, or to something |
| 17 |
>> else? |
| 18 |
> [...] |
| 19 |
> |
| 20 |
> An SSL certificate provides both encryption and authentication. For the |
| 21 |
> encryption part it's simple, you own the private key, the certificate has the |
| 22 |
> public key, so only you can decrypt whatever is encrypted with it. |
| 23 |
> |
| 24 |
> Authentication is more complicated. It's easy if you think of if like a driver |
| 25 |
> license. The hostname is like the photo, if I get pulled over and hand over a |
| 26 |
> stolen license to the officer he'll know it's not me by looking at the photo. |
| 27 |
> Your browser does the same with the hostname, if somebody steals your private |
| 28 |
> key they will also have to steal your domain name to impersonate you. If |
| 29 |
> somebody grabs a hold of your CA's private key is like stealing the DMV |
| 30 |
> printer, now they can issue themselves a license with your name and their own |
| 31 |
> picture. But if they hand it over to an officer he will call it in and find out |
| 32 |
> it's fake, that's the equivalent of revocation lists and ocsp. |
| 33 |
> |
| 34 |
> Of course it only works because we trust the DMV (or the CA in this case) to |
| 35 |
> be diligent in verifying you are who you say you are before issuing a license |
| 36 |
> or certificate. So it all doesn't apply as much to self issued certificates but |
| 37 |
> it still applies to some extent. |
| 38 |
|
| 39 |
Actually, it does not work. What my face looks like is not subject to |
| 40 |
network traffic (re-)direction and the content of DNS entries. It |
| 41 |
changes with age and can still be recognized. I could send you a |
| 42 |
picture of my face and you would never know whose face is on the |
| 43 |
picture: that's like an FQDN or IP. I could just as well give you an IP |
| 44 |
address or FQDN to identify myself. |
| 45 |
|
| 46 |
The purpose of driver licenses is not identification. Anyway, why would |
| 47 |
I need some sort of document to identify myself if my face would |
| 48 |
suffice? In practise, the document is more important than the face |
| 49 |
that's on it. |
| 50 |
|
| 51 |
IIRC, there is a way with gpg to change the email address(es) of your |
| 52 |
key. That makes sense because the address is for having the convenience |
| 53 |
of not needing to specify a key-ID or something else. And that I might |
| 54 |
be using another email address does not invalidate the key. It's the |
| 55 |
key itself which is relevant, not what is being used to pick which key |
| 56 |
to choose. |
| 57 |
|
| 58 |
Linking a certificate to an FQDN or IP is clutching at straws at best. |
| 59 |
As my face changes with time, they also do. With documents to identify |
| 60 |
me, I don't update the picture all the time. |
| 61 |
|
| 62 |
When the ID-document I currently have expires, I won't have one that |
| 63 |
hasn't expired because they have become so insanely expensive that I |
| 64 |
can't afford one. That's similar to the work it would take to put a new |
| 65 |
certificate in place for all the users just because it's linked to an |
| 66 |
FQDN/IP. It might be cheaper if you could change out the picture as you |
| 67 |
can change the email address with gpg. |
| 68 |
|
| 69 |
The concept is flawed. And how could I myself verify that a CA does its |
| 70 |
job the way they are supposed to do it? In the end, it's no more than a |
| 71 |
deception, and that shouldn't be needed to be able to use encrypted |
| 72 |
connections. |
| 73 |
|
| 74 |
|
| 75 |
-- |
| 76 |
Again we must be afraid of speaking of daemons for fear that daemons |
| 77 |
might swallow us. Finally, this fear has become reasonable. |
Archives