Don't want to get into one of the peeing contests that have become all too common here.
Let me just say that never mind any enterprise PKI CA constraints, I think Tom was talking about OpenSSL on a PC. OpenSSL stores private keys -- private keys -- in a pretty accessible format. If I can get into Tom's PC -- perhaps while he is at lunch, or with a clever phish -- and get that private key, then I can generate server certificates for any site in the world and Tom's associates will trust those certificates. Not criticizing Tom or his processes here. Just pointing out to readers that there are some significant risks in general to the approach of "oh, I will just create an ad hoc CA and have my users trust it." Trusting a CA is implicitly trusting everything that anyone does with its root private key. Yes, it is no different in some ways than trusting DigiCert. The difference is that DigiCert has very rigorous protocols for protecting its root private keys. OpenSSL does not. Charles On Tue, 29 Aug 2023 09:23:16 -0500, Grant Taylor <gtay...@tnetconsulting.net> wrote: >On 8/29/23 8:31 AM, Charles Mills wrote: >> Just being a security PITA here, but that solution makes the security >> of their systems subject to whatever safeguards you do or do not put >> on yours. > >Remember, Certificate Authorities can be constrained. E.g. it's >possible to create an Enterprise Certificate Authority that can only >sign things in the enterprise.example.net domain and nothing outside of >it. Thereby significantly limiting exposure to things outside of the >enterprise. > >> If I can extract the CA private key from your PC than it is trivial >> for me to create a www.chase.com certificate that will be trusted by >> their browsers without any question, and mount a man-in-the-middle >> attack on their banking. > >I question the veracity of that statement. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN