pre-installed CA (was: is a self signed certificate always invalid the first time?)
Steffen Kaiser
skdovecot at smail.inf.fh-brs.de
Fri Aug 11 09:39:00 EEST 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just my humble opinion:
We had ran a self-signed CA several years.
I would claim, that in theory this is more secure than using pre-installed
third party CAs. Using a self-signed cert per server might do for small
numers as well. However, when it comes to user divergence (or users
coming from a wide range of knowledge and a wide range of devices come
into play), roll your own is nightmare of support. As stated by others,
some clients (Web browser, systems, mail clients, ...) make it hard to
install own certs, Android even claims that the network (all of it from
the interpretation of users) becomes insecure, once you install your own
root cert. It looks like that more and more clients warns *each* time you
access a server with a self-signed cert.
In the end, the gain of security (identify servers) was torpedoed by
support and lack of understanding *and* will, even including poeple one
might think they understand the need of extra steps in favour of security.
IMHO, the cert hierarchie today exclude eavesdropping by normal attackers,
but is not suitable to identify servers or clients, because you (aka I)
cannot trust the pre-installed trusted CAs.
If your set of users and devices is small enough, you can prepare all
devices or offer an installation packet (for home users with a fixed set
of clients), roll your own CA is easy and I would go this way. Alas,
clients *should* mark personally trusted CAs differently than
vendor-trusted ones. So users can see, if they speak with the correct
server or if the server just looks alike, e.g. example.com vs. exampel.com
.
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBWY1RBHz1H7kL/d9rAQJQdAf/WgD+230Fon0rlXHeTsaQ2fZnn55yA+Eb
6K8RxEJ3y1EK6kgVAlAICxU92ft8smjQZGUU4vhWv/fLnXUErSaptOnXu3Nk7io2
5LqEwv+jmcLWthqxkSY2NJw3kzaNTYLcuQ8cXAVHuzwQlJO4x0MAq1WR4kVQtQh6
cP/EinFxhWjyqQElSJ7ph3EYR/UJVTx1HVFS6bBiA+vY9s07EH64SRomOSwVC3ng
ryQZrwc2+5u+9hFfOnuGnBqj76szjhqPpa2PV7fQx8cFuJpJrctVxT+zbLf2sJpF
2XDzygpEiEbQuMe1st6ugOey9N+pdRWstsouVBbUAZ3L5PckmUYYVQ==
=X902
-----END PGP SIGNATURE-----
More information about the dovecot
mailing list