I think part of the problem is that the one public CA tree is used for many different purposes. Validating the host name for HTTP is one goal. Identifying trustworthy companies is another. The VeriSign certificates are expensive because the identification is hard. Even then, it isn't as good as it should be. On the other hand, for many purposes just verifying that the DNS hasn't been spoofed is good enough. Certificates based on the DNS would be much cheaper. There already is a hierarchy that the CA tree could follow.

For example, I once worked with a credit card processing system that used SSL to protect the transactions. That is a good thing because SSL is a very well designed protocol. The problem is that the server's certificate was signed by VeriSign. The client's used a CA file that listed the VeriSign CA. The problem with this is that any CA in the VeriSign tree could impersonate the server. This may be an acceptable risk for the shopping site, but it a big danger with the credit card processor that sits behind it.

What they should have done is signed the server certificate with by a custom CA. That CA would be the only one configured for clients. Clients should also get client certificates signed by the only CA that the servers trust. The trust is limited to the organization that runs the servers and issues the certificates.

Simarly, organizations shouldn't use the public CA tree for internal authentication like with email. It requires more work to distribute the CA certificate to all the clients but it is more secure because the trust doesn't include all the public CAs. On the other hand, since browser don't separate trust domains for certificates, the private CA could be used to spoof any web sites.

In reply to Re: (OT) SSL Certificates: Self-Signing and Alternative Solutions by iburrell
in thread (OT) SSL Certificates: Self-Signing and Alternative Solutions by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.