CAcert System Admins discussion list

[Dieter Hennig <dieter.hennig AT id.ethz.ch>]

Dear Ian,


Hope, I can express it well. Please do two experiments.

a.) Install Opera-browser and look to https://www.cacert.org

What you see?

b.) Please use the Firefox and install the plug-in

SSL Blacklist

from here

http://codefromthe70s.org/sslblacklist.aspx

and then go to

https://dev.cacert.cl

We have that tool everywhere in the field.

Both problems, in fact are very different, but for my they are both
connected at first to the practical discussion with our students and
staff members. And they are so many and I be only one.


A good intermediate certificate, which we can actively push into our
organization, *if*  something goes wrong, is a kind of activ security
policy we have. To fight with mass-mailing again security problems is
not the way, we have written down in our (passed) ISO 20.000 audit. To
have no perfect intermediate certificate is for us a practical risk.


And please see, how long the experts are discussing here the matter, how
I would this explain in short words for students?


This both problems above are different problems, my wishing was to make
a decision, which solve the possible discussion about b.) with a minimal
change inside your (our) system with the biggest possible outcome. And I
start the discussion to find a way, that no actual application crashed,
no one is forced immediately to install new certificates because actual
no *new* attack against MD5 hashed certificates was published (we agree
in this point over the last 12 month). And in my way, the problem would
disappear in two years at all.


To find the right moment to make a new root certificate (and to solve
problem a.)) is out of the scope for me in the moment. Personally, I
would look for the big player, what they are doing or wait for SHA2.

May I ask another question: Do you know an other certificate
organization, which is acting in the same way as CAcert with the MD5
chain public or are we the only one?



Ian G schrieb am 18.12.2009 17:45:
> On 18/12/2009 08:34, Roberto Mazzoni wrote:
>> Dear Daniel
>>
>>>> Actually we are using, like the most people around in the community, to
>>>> sign our requests only by the Class-1-root-certificate and we do not use
>>>> this Class-3-certificate.
>>> If you're only using the Class-1-root-certificate why are you asking for 
>>> the
>>> Class-3 to be replaced?
>>
>> People have to install the root certficate in their browser anyway, in 
>> order
>> to avoid warnings about the certificate. The intermediate certificate is 
>> sent
>> by the server, no user action needed once the root certificate is 
>> installed.
>> It's easy to replace or ad a Class 3 intermediate certficate on the server
>> side. But since the current intermediate uses also MD5 hashes, we are not
>> using it because it has no benefit. With a new intermediate whith SHA1 hash
>> algorithmus, we would send out the certificate chain and only use this for
>> signing certificates.
> 
> 
> I'm sorry, I do not understand what the problem is.  Let me check the 
> facts as I see them.
> 
> A server can now be configured with class 3 + an SSL server side cert. 
> The class 3 will sign the SSL cert using SHA1.  So no issue with the 
> server certs.
> 
> The class 3 subroot is signed by the class 1 root, which has to be in 
> the browser.  That class 3 might be signed with MD5 (I tried to confirm 
> it but I can't even see it...).  But it's not attackable by the January 
> attack.
> 
> So the worst case here is that possibly, browsers will reject that MD5 
> signature over the class 3.
> 
> Is that what you are talking about?  Or am I missing something?
> 
> If so, I haven't seen it myself;  which browser is doing this?  I know 
> the browsers are talking about it, but I also will be surprised if they 
> will move aggressively here, they will wait until all (root list) CAs 
> are completely moved over, which is likely another year or more.  (The 
> browsers are very sensitive to user-support complaints generated by 
> aggressive crypto fixes.)
> 
> 
>> FYI, another nice comment on MD5:
>> http://my.opera.com/securitygroup/blog/2009/01/30/md5-in-certificates-what-is-happening
> 
> 
> Yes, good description.  Please note how complicated the whole area is. 
> Also, update that article to add that TLS 1.2 is probably under a cloud 
> and it hasn't even been pushed out as yet...  People aren't moving fast 
> on this because they are lazy, but because it is a minefield.
> 
> ....
>>> How important is this now?
>>
>> I guess fair wording does not change importance.
> 
> 
> Sorry, I still don't understand why it is important to you. 
> Everything's important, what is not clear is why this is more important 
> than anything else?
> 
> It's important to us.  I've been banging the table on this since 2007. 
> We will do it.  But we want to do it at the right time, or to put it 
> another way, banging the table is not the same thing as insisting that 
> others change their lives to suit me.
> 
> We could do it at the wrong time for us, or it seems possible to do an 
> new intermediate key only, if there was a good reason.  So far it seems 
> that security is not an issue for you and for us.  But in time the 
> browsers and servers will cause more problems for MD5 ... that's a given 
> fact, but we don't know when.
> 
> However, it is likely that this will be an automatically audit-rejected 
> intermediate.  Are you happy with that?  And why are you happy with 
> that, but not happy with the current situation?
> 
> iang


Best Regards


Dieter

-- 
Dieter Hennig
Informatikdienste/Helpdesk
ETH Zuerich, STB G 18.2
8092 Zuerich, Stampfenbachstr. 69
Tel: +41 44 632 4278
Fax: +41 44 632 1900

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature