Certificates (was Re: Fwd: Είχατε δίκιο ....)

Patroklos Argyroudis argp at cs.tcd.ie
Tue May 8 13:12:13 EEST 2007


On Tue, May 08, 2007 at 10:49:33AM +0300, Christos Ricudis wrote:
> 
> To montelo empistosynhs tou X.509 einai ierarxiko. To pistopoihtiko sou 
> einai ypogegrammeno apo mena, to diko mou to ypografei o Mhtsos, tou Mhtsou 
> to ypografei o Takhs, kai tou Takh brisketai ston browser tou xrhsth - opote 

Auto dinei tin entiposi oti sto X.509 oi hristes mporoun na ekdidoun
pistopoiitika, pragma pou profanos den ishyei.  Episis, to X.509
akolouthei ierarhiki domi mono sti theoria.  Sti praksi i ierarhia tou
apoteleite mono apo dyo epipeda, auta ton Certification Authorities
(CAs) kai ton service providers (web servers, electronic commerce
sites, patch distributors ktlp) oi opoioi pistopiounte apo tous
protous oti pragmati einai autoi pou lene oti einai.

> Ayto dinei ston xrhsth thn idea oti *to idio to SSL transaction tou* einai 
> ligotero asfales apo oti 8a htan an xrhsimopoiouse ena omorfo gyalistero SSL 
> certificate ypogegrammeno apo kapoio "trusted" certification authority - 
> idea h opoia bebaiws einai lan8asmenh. To SSL encryption kai stis dyo 
> periptwseis einai akribws to idio.

Profanos, to SSL einai vasika protokolo tautopoiisis kai
kryptografisis dedomenon.  To montelo empistosynis pano sto opoio
vasizete to SSL oste na dimiourgisei to asfales kanali einai entelos
alli ypothesi (opos gia paradeigma to X.509 montelo pou perigrafeis
pio pano).  Dystihos ta RFC tou SSL/TLS einai haragmena stin petra,
opote an kai einai tehnika aplo na ypostirihtoun kai alla montela
empistosinis (pragma pou ehei ginei me diafora Internet-Drafts) auto
gia diaforous logous (tous opoious ligo-poly ypainisesai) de
symvainei.

> Contrary to popular belief, gia na baleis to root certificate authority sou 
> ston IE, de xreiazetai na plhrwseis thn Microsoft. Xreiazetai na plhrwseis 
> tous auditors poy 8a sou dwsoun to certification poy sou zhtaei h Microsoft, 
> to opoio "pistopoiei" oti eisai ikanos na leitourghseis ena root 
> certification authority.

I Microsoft ohi mono apaitei security audits apo ta CAs ton opoion to
root certificate vazei ston IE, alla epipleon synithos ta apaitei se
etisia vasi [1].

> Ta antistoixa requirements ths Netscape gia ta dika ths trusted root 
> certification authorities einai ligo pio flou, alla ypo8etw oti sthn praksh 
> h diadikasia 8a einai peripou h idia - mporei apla na diaferei o 
> subcontracted auditor poy sou dinei thn pistopoihsh.

Parepiptontos, to Mozilla Foundation ehei (profanos) diaforetiki
politiki apo ti Netscape kai ti Microsoft gia tin eisagogi root
certificates ston Firefox, i opoia telika kataligei sto "vazoume oti
nomizoume alla toulahiston akolouthoume anoihtes diadikasies" [2].

Den eimai sigouros gia to poio montelo douleuei kalytera (yeah right).
Omos einai sigoura kalytera i politiki eisagogis na einai anoihti kai
kala tekmiriomeni apo to na min yparhei katholou.

> An ayto sas akougetai ligaki pipa, swsta sas akougetai - kanena commercial 
> certification authority den exei oute thn dynatothta, oute th 8elhsh, oute 
> to symferon na analabei thn ey8ynh na pistopoiei st'alh8eia tous pelates 
> tou. An de mou ypograpsei to phishers SSL certificate mou h Verisign eimai 
> apolytws eley8eros na paw sthn Thawte, ktl. Zhtw h eley8erh agora.

Symfono oti ta CAs den ehoun apolytos kanena symferon na prohoroun se
sosti kai olokliromeni pistopoiisi.  To vasiko tous eksodo einai o
eleghos pou pragmatopoioun se ena Certificate Signing Request (CSR)
kapoiou service provider oti pragmati to onoma pou zita na pistopoiithei
anoikei ston idio os fysiko i nomiko prosopo.  Sti theoria auto prepei
na ginete offline me kapoia tautotita i alla eggrafa.  Sti praksi, ta
fthinotera certificates (pou fysika "kleinoun" to icon tis klidarias
stous browsers akrivos opos kai ta akrivotera :) ekdidonte me ena aplo
email exchange.

Elpizo oloi na thymaste ti gkafa tis VeriSign pou ekane autes tis
praktikes genikos gnostes ekdidontas dyo pistopoiitika gia ypografi
patches (!) se kakovoulo atomo pou zitise to onoma "Microsoft
Corporation" [3, 4].

<shameless-self-plug>

Ta provlimata tou X.509 einai polla perisotera (as mi milisoume simera
gia revocation).  Yparhoun diafores alles lyseis (p.h. Identity-Based
Encryption, i akoma kai to montelo empistosynis tou SSH) ta opoia
ehoun ta dika tous proterimata kai meionektimata.  Gia perisoteres
plirofories:

http://wesii.econinfosec.org/draft.php?paper_id=9

</shameless-self-plug>

> Prosfatws to debian exwse anamesa sta ypoloipa root certificates, merika 
> epipleon. Dyo dika tous, ena tou cacert.org (ena free certification 

Ehei to Debian tekmiriomeni politiki shetika me tin eisagogi root
pistopoiitikon;  Apo tote pou ekanan fork ton Firefox gnorizei kaneis
an akolouthoun na vasizonte sto idio synolo apo root pistopoiitika pou
ehei o Firefox i ksekinisan apo tin arhi;

[1] http://www.microsoft.com/technet/archive/security/news/rootcert.mspx
[2] http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html
[3] http://news.com.com/2100-1001-254586.html
[4] http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx

-- 
Patroklos Argyroudis
http://ntrg.cs.tcd.ie/~argp/




More information about the Linux-greek-users mailing list