1 |
Fernando Rodriguez <frodriguez.developer@×××××××.com> writes: |
2 |
|
3 |
> On Sunday, September 06, 2015 4:29:25 PM lee wrote: |
4 |
|
5 |
> [...] |
6 |
>> |
7 |
>> When creating the certificate, I have used the fqdn the host does |
8 |
>> actually have and knows itself by (because I needed to fill in the |
9 |
>> fields, and it seemed most reasonable to use the actual host name). |
10 |
>> |
11 |
>> That this host can be reached at all, via different fqdns and IPs, is a |
12 |
>> matter of network traffic (re-)direction and of how the DNS-entries |
13 |
>> currently happen to be. They are all transparent and irrelevant to the |
14 |
>> user/client and subject to change. Why should they matter for a |
15 |
>> certificate which is supposed to let me figure out whether I'm |
16 |
>> connecting to the host I'm expecting to connect to, or to something |
17 |
>> else? |
18 |
> [...] |
19 |
> |
20 |
> An SSL certificate provides both encryption and authentication. For the |
21 |
> encryption part it's simple, you own the private key, the certificate has the |
22 |
> public key, so only you can decrypt whatever is encrypted with it. |
23 |
> |
24 |
> Authentication is more complicated. It's easy if you think of if like a driver |
25 |
> license. The hostname is like the photo, if I get pulled over and hand over a |
26 |
> stolen license to the officer he'll know it's not me by looking at the photo. |
27 |
> Your browser does the same with the hostname, if somebody steals your private |
28 |
> key they will also have to steal your domain name to impersonate you. If |
29 |
> somebody grabs a hold of your CA's private key is like stealing the DMV |
30 |
> printer, now they can issue themselves a license with your name and their own |
31 |
> picture. But if they hand it over to an officer he will call it in and find out |
32 |
> it's fake, that's the equivalent of revocation lists and ocsp. |
33 |
> |
34 |
> Of course it only works because we trust the DMV (or the CA in this case) to |
35 |
> be diligent in verifying you are who you say you are before issuing a license |
36 |
> or certificate. So it all doesn't apply as much to self issued certificates but |
37 |
> it still applies to some extent. |
38 |
|
39 |
Actually, it does not work. What my face looks like is not subject to |
40 |
network traffic (re-)direction and the content of DNS entries. It |
41 |
changes with age and can still be recognized. I could send you a |
42 |
picture of my face and you would never know whose face is on the |
43 |
picture: that's like an FQDN or IP. I could just as well give you an IP |
44 |
address or FQDN to identify myself. |
45 |
|
46 |
The purpose of driver licenses is not identification. Anyway, why would |
47 |
I need some sort of document to identify myself if my face would |
48 |
suffice? In practise, the document is more important than the face |
49 |
that's on it. |
50 |
|
51 |
IIRC, there is a way with gpg to change the email address(es) of your |
52 |
key. That makes sense because the address is for having the convenience |
53 |
of not needing to specify a key-ID or something else. And that I might |
54 |
be using another email address does not invalidate the key. It's the |
55 |
key itself which is relevant, not what is being used to pick which key |
56 |
to choose. |
57 |
|
58 |
Linking a certificate to an FQDN or IP is clutching at straws at best. |
59 |
As my face changes with time, they also do. With documents to identify |
60 |
me, I don't update the picture all the time. |
61 |
|
62 |
When the ID-document I currently have expires, I won't have one that |
63 |
hasn't expired because they have become so insanely expensive that I |
64 |
can't afford one. That's similar to the work it would take to put a new |
65 |
certificate in place for all the users just because it's linked to an |
66 |
FQDN/IP. It might be cheaper if you could change out the picture as you |
67 |
can change the email address with gpg. |
68 |
|
69 |
The concept is flawed. And how could I myself verify that a CA does its |
70 |
job the way they are supposed to do it? In the end, it's no more than a |
71 |
deception, and that shouldn't be needed to be able to use encrypted |
72 |
connections. |
73 |
|
74 |
|
75 |
-- |
76 |
Again we must be afraid of speaking of daemons for fear that daemons |
77 |
might swallow us. Finally, this fear has become reasonable. |