public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-user] app-misc/ca-certificates
  @ 2021-06-02  7:48 99%             ` Fannys
  0 siblings, 0 replies; 1+ results
From: Fannys @ 2021-06-02  7:48 UTC (permalink / raw
  To: gentoo-user@lists.gentoo.org

[-- Attachment #1: Type: text/plain, Size: 1767 bytes --]

On June 2, 2021 1:51:06 AM UTC, Grant Taylor <gtaylor@gentoo.tnetconsulting.net> wrote:
>On 6/1/21 3:38 PM, Michael Orlitzky wrote:
>> *Any* CA can just generate a new key and sign the corresponding 
>> certificate.
>
>This is where what can /technically/ be done diverges from what is 
>/allowed/ to be done.
>
>CAs adhering to the CA/B Forum's requirements on CAA records mean that 
>they aren't allowed to issue a certificate for a domain that doesn't 
>list them in the CAA record.
>
>If a CA violates the CAA record requirement, then the CA has bigger 
>issues and will be subject to distrusting in mass.
>
>Certificate Transparency logs make it a lot easier to identify if such 
>shenanigans are done.  --  I think that the CA/B Forum is also
>requiring 
>C.T. Logs.
>
>Also, CAs /should/ *NOT* be generating keys.  The keys should be 
>generated by the malicious party trying to pull the shenanigans that 
>you're talking about.
>
>> All browsers will treat their fake certificate corresponding to the 
>> fake key on their fake web server as completely legitimate. The
>"real" 
>> original key that you generated has no special technical properties 
>> that distinguish it.
>
>Not /all/ browsers.  I know people that have run browser extensions to 
>validate the TLS certificate that they receive against records
>published 
>via DANE in DNS, which is protected by DNSSEC.  So it's effectively 
>impossible for a rogue CA and malicious actor to violate that chain of 
>trust in a way that can't be detected and acted on.

From my understanding its all based on trust and faith unless I take steps from my side. That doesnt seem very safe.
Tech should be based on tech. Not faith and trust on the other party.

Marinus

[-- Attachment #2: pEpkey.asc --]
[-- Type: application/pgp-keys, Size: 2208 bytes --]

^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-05-29  1:08     [gentoo-user] app-misc/ca-certificates zcampe
2021-05-29  6:26     ` Walter Dnes
2021-06-01  4:45       ` J. Roeleveld
2021-06-01  5:15         ` William Kenworthy
2021-06-01 21:25           ` Grant Taylor
2021-06-01 21:38             ` Michael Orlitzky
2021-06-02  1:51               ` Grant Taylor
2021-06-02  7:48 99%             ` Fannys

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox