IP: SSL Certificate "Monopoly" Bears Financial Fruit

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Fri Jul 12 08:16:01 PDT 2002


and just to make sure there is a common understanding regarding SSL cert
operation ... the browser code

1) checks that the SSL server cert can be validated by ANY public key that
is in the browser preloaded list (I haven't verified whether they totally
ignore all of the "cert" part of these preloaded public keys ... things
like expiration date ... that these preloaded public keys are in the
preloaded list appears to be sufficient ... details like the preloaded
public keys happened to be wrappered in these certificate containers is
almost extraneous).

2) validates the signature on the SSL server cert with the corresponding
public key

3) checks if the website domain/host name is the same (or in some cases
similar) to the domain/host name specificed in the SSL server cert. I have
noticed that browsers tend to pretty much ignore the contents of these SSL
server certificates ... things like expiration date ... except the public
key, the domain/host name, and the signature (and the signature only has
real meaning within the context of
the infrastructure associated with the public key in the preloaded list
with the lowest trust/integrity level;
this is analogous to security weakest link ... a bank vault with a 4ft
think vault door doesn't do much good
if the vault has no walls).

4) uses the public key in the SSL server cert to validate communication
with the server.

all of this happens automagically from most users' standpoint (probably
less than one percent of the population even knows that there is such a
thing as a preload list).



pgut001 at cs.auckland.ac.nz on 7/10/2002 at 9:12 pm wrote:

Both Netscape 6 and MSIE 5 contain ~100 built-in, automatically-trusted CA
certs.

 * Certs with 512-bit keys.

 * Certs with 40-year lifetimes.

 * Certs from organisations you've never heard of before ("Honest Joe's
Used
   Cars and Certificates").

 * Certs from CAs with unmaintained/moribund websites ("404.notfound.com").

These certs are what controls access to your machine (ActiveX, Java,
install-
on-demand, etc etc).

  * It takes 600-700 mouse clicks to disable these certs to leave only CAs
you
    really trust.

(The above information was taken from "A rant about SSL, oder: die grosse
 Sicherheitsillusion" by Matthias Bruestle, presented at the KNF-Kongress
 2002).

>Why is not someone else issuing certificates?

How many more do you need?

Peter.





More information about the cypherpunks-legacy mailing list