pre-installed CA (was: is a self signed certificate always invalid the first time?)

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Fri Aug 11 09:39:00 EEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just my humble opinion:

We had ran a self-signed CA several years.

I would claim, that in theory this is more secure than using pre-installed 
third party CAs. Using a self-signed cert per server might do for small 
numers as well. However, when it comes to user divergence (or users 
coming from a wide range of knowledge and a wide range of devices come 
into play), roll your own is nightmare of support. As stated by others, 
some clients (Web browser, systems, mail clients, ...) make it hard to 
install own certs, Android even claims that the network (all of it from 
the interpretation of users) becomes insecure, once you install your own 
root cert. It looks like that more and more clients warns *each* time you 
access a server with a self-signed cert.

In the end, the gain of security (identify servers) was torpedoed by 
support and lack of understanding *and* will, even including poeple one 
might think they understand the need of extra steps in favour of security.

IMHO, the cert hierarchie today exclude eavesdropping by normal attackers, 
but is not suitable to identify servers or clients, because you (aka I) 
cannot trust the pre-installed trusted CAs.

If your set of users and devices is small enough, you can prepare all 
devices or offer an installation packet (for home users with a fixed set 
of clients), roll your own CA is easy and I would go this way. Alas, 
clients *should* mark personally trusted CAs differently than 
vendor-trusted ones. So users can see, if they speak with the correct 
server or if the server just looks alike, e.g. example.com vs. exampel.com 
.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWY1RBHz1H7kL/d9rAQJQdAf/WgD+230Fon0rlXHeTsaQ2fZnn55yA+Eb
6K8RxEJ3y1EK6kgVAlAICxU92ft8smjQZGUU4vhWv/fLnXUErSaptOnXu3Nk7io2
5LqEwv+jmcLWthqxkSY2NJw3kzaNTYLcuQ8cXAVHuzwQlJO4x0MAq1WR4kVQtQh6
cP/EinFxhWjyqQElSJ7ph3EYR/UJVTx1HVFS6bBiA+vY9s07EH64SRomOSwVC3ng
ryQZrwc2+5u+9hFfOnuGnBqj76szjhqPpa2PV7fQx8cFuJpJrctVxT+zbLf2sJpF
2XDzygpEiEbQuMe1st6ugOey9N+pdRWstsouVBbUAZ3L5PckmUYYVQ==
=X902
-----END PGP SIGNATURE-----


More information about the dovecot mailing list