On Fri, Dec 2, 2011 at 1:07 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: [snip] > OK, so it does appear that people seem genuinely unaware of both the fact that > this goes on, and the scale at which it happens. Here's how it works: > > 1. Your company or organisation is concerned about the fact that when people > go to their site (even if it's an internal, company-only one), they get scary > warnings. > > 2. Your IT people go to a commercial CA and say "we would like to buy the > ability to issue padlocks ourselves rather than having to buy them all off > you".
When it is *only* company-only, I think it's much more common for companies to set up their internal CAs and just do something like an SMS or WSUS push to get their internal root CA certs into all the trusted keystores of all the company computers. I've only seen the latter case used when it involves residential customers. We can't take that the approach to force them to add our internal CA cert chain to their trust stores, and even if we could it would likely result in so many calls to the help desk to make it infeasible. However, we have occasionally used that approach with business partners. > 3. The CA goes through an extensive consulting exercise (billed to the > company), after which they sell the company a padlock-issuing license, also > billed to the company. The company is expected to keep records for how many > padlocks they issue, and pay the CA a further fee based on this. > > 4. Security is done via the honour system, the CA assumes the company won't do > anything bad with their padlock-issuing capability (or at least I've never > seen any evidence of a CA doing any checking apart from for the fact that > they're not getting short-changed). Through the honor system? Does that mean that we can use a pair of dice rolled two or three times for our "hardware key generation"? ;-) Actually, more surprisingly, I've been told by those who manage something like this for our company, that even the reported number of padlocks that they issue and are expected to compensate the CA for is kept on the honor systemm--at least for the CA with whom we interact. (Or course, I'm assuming that the this CA retains the right to periodically do audits, etc.) -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
