[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Thu Dec 6 22:56:14 UTC 2018

On 06/12/2018 21:16, Viktor Dukhovni wrote:
>> On Dec 6, 2018, at 3:06 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
>>
>> So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money.
>>
>> I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them.
No, Uri you get it wrong.  Different levels of certainty is the
point.

Consider it like this:

DV: A regular printed business card that you can get from a
   vending machine, proves very little.
     The CA just checks that the person or robot requesting the
   certificate has some semblance of control over the domain
   name at the time of issuance.  Price is as low as $0.

OV: A debit card with the supposed owners name on it, available
   from a number of companies that do minimal checking, but still
   a better ID proof than a business card.
     The CA must check that the company name and address are true,
   using some basic steps such as checking that a company by that
   name exists at that address and confirms they are the ones
   requesting the certificate.  There is no check that the company
   name is an official name or that the company has a business
   license etc.  A traditional lemonade stand run by children can
   potentially get an OV certificate if they stay in one place for
   the time it takes to get the certificate.  (A CA agent visiting
   the company site is enough checking of company existence for OV).

EV: A proper photo ID with serious identity checking before being
   issued, like a government passport.  Includes the holders
   legal name and government ID number (literally), which can be
   used to look up the subjects legal status.
     The CA must check public records, and do some hard checks that
   the request is officially from that company.  There is a 50+
   pages official specification listing how every tidbit of
   this information must be checked.  The CA cannot limit
   its own liability for certain failures to less than $2000.

Each step up the ladder gives the user more certainty the
person/website is who it says it is, but is more expensive
and difficult to obtain for the person/website.  Each step also
costs more money for the CA to check, because there is more work
to do.

The "make it look green" and "fights crime" slogans were just
the old marketing campaign, repeated endlessly as a more
efficient sales pressure than the real explanation.

> While the point of EV was that it certified a binding to a (domain + business name)
> rather than just a domain with DV, it turned out that displaying the business name
> was also subject to abuse, and the security gain proved elusive.
>
>    https://www.troyhunt.com/extended-validation-certificates-are-dead/

A traveling salesman for a cloud provider.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded