[159230] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Jan 2 07:54:47 2013
To: Jimmy Hess <mysidia@gmail.com>
In-Reply-To: Your message of "Sun, 30 Dec 2012 19:25:04 -0600."
<CAAAwwbXrT=30++48N8UAas1DpcKWZ8dAe8fgWyeaB3zR00eJ9g@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 02 Jan 2013 07:53:28 -0500
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1357131208_45073P
Content-Type: text/plain; charset=us-ascii
On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:
> I would say those claiming certificates from a public CA provide no
> assurance of authentication of server identity greater than that of a
> self-signed one would have the burden of proof to show that it is no
> less likely for an attempted forger to be able to obtain a false
> "bought" certificate from a public trusted CA that has audited
> certification practices statement, a certificate improperly issued
> contrary to their CPS, than to have created a self-issued false
> self-signed certificate.
There's a bit more trust (not much, but a bit) to be attached to a
cert signed by a reputable CA over and above that you should attach
to a self-signed cert you've never seen before.
However, if you trust a CA-signed cert more than you trust a self-signed
cert *that you yourself created*, there's probably a problem there someplace.
(In other words, you should be able to tell Gmail "yes, you should expect
to see a self-signed cert with fingerprint 'foo' - only complain if you
see some *other* fingerprint". To the best of my knowledge, there's no
currently known attack that allows the forging of a certificate with a
pre-specified fingerprint. Though I'm sure Steve Bellovin will correct
me if I'm wrong... :)
--==_Exmh_1357131208_45073P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBUOQtxwdmEQWDXROgAQJqzhAAhvXo2dy/AXC/DN0m9q7S3KAT5qA8Uy7W
oAZcD8LlihTTA542Sq8N9RiTRBbtpq4fdPDkDsd/ffZpuJcqCD9QVaEWhgXbAAWg
oEVAE4shcgUQ8JnWd11M0neLJl9KljUMkH3vgSEfkR0vCi/nz+b0GUB7WHarBmmI
mVLskVeElSSnecLDZ8eNF6id/OqmWneTsFF5dkq/x/Q11u+7k70n63Gtd2Klxo5y
FQGLLXMyAZOQyE7w64GkYEIV/rC1Q5AJAteFHnUh6nIs0SPpfptB2Xf1fXwsvZ7N
JFNvaJtHRjADtWu9V3/gDRCGoqhvkuGkTLI0npC4P43PmH9kw9DzjPpA2xUwLhDp
tMRhHMxbP3Ak0InrGvS7Cs/kBfr6o6IEZmCLlmRxBWY5GH9g51q2F7pvaWhKbs4U
Fy4yj+ajCaocjp1LOoZIBhwSWICj509XpkhoRX4RN18A0ep+gyvGVOTG69neefZX
V8XRjWY8hGIWirj02LLlPpQA3kxjOXNfrfPC58OW/gHAzXl/hf5zRHTZNindEPiO
52UYU8yvxs48FByI6brIv98TMOtQCPMRqNgQeDWpr8IEIUqFpO5sY54kYeIzQawz
8AgCWh5UZELRtlwTvPB5kJyb7MNFK2v0riVlwlVpEJDLK0RzE2GBCTkHsqXA+dPz
grYqqrWJiNk=
=Ukmb
-----END PGP SIGNATURE-----
--==_Exmh_1357131208_45073P--
