On 30/09/14 03:30, Michael Sierchio wrote: > There are many places where a PKI breaks - hash collisions are far > down the list. Most internal CA implementations offer no more > effective security or trust than just using self-signed certs - the > objective seeming to be to make browsers not complain about the SSL > connection. Without subsidiary CAs, good discipline about their use, a > CRL distribution point baked into certs (or OCSP), you can only verify > that a cert was valid when it was signed, but have no way of dealing > with private key compromise, etc. which happens all the time. Spend > some time thinking about revocation, cert lifespan, etc.if you want to > make a CA "stronger."
Whoa! Big assumptions in there batman!!! Don't for a minute assume you have any understanding about how we use said CA cert. Yes, all of that was thought through 12 years ago when we started doing this. In my experience, our company has been one of the few enterprise environments where a PKI has actually fundamentally improved our security posture, and it was ENTIRELY through focusing on processes - not the technology! (sheesh, ask a simple question... ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org