User: Password:
|
|
Subscribe / Log in / New account

Just a user interface issue?

Just a user interface issue?

Posted Feb 28, 2013 21:39 UTC (Thu) by Lennie (guest, #49641)
In reply to: Just a user interface issue? by raven667
Parent article: Loading keys from Microsoft PE binaries

If you ask Verisign to maintain a Verisign signed CA like Microsoft is doing I'm sure it would be expensive.

So how much money does it take to maintain a selfsigned CA ?

You don't need an organisation like Verisign to sign the CA.


(Log in to post comments)

Just a user interface issue?

Posted Feb 28, 2013 21:45 UTC (Thu) by dlang (subscriber, #313) [Link]

running a CA is dirt cheap (look at openca), running a good CA securely costs a bit more.

you need to have processes in place to keep the bad guys out, this probably means that it takes more work to do the signing

you need redundancy

you need to spend time figuring out if you should sign things (unless you are a commercial CA, in which case you just need to see if the credit card accepts the charge)

That being said, the cost of running the CA itself is trivial compared to the cost of getting your cert accepted and in the various places it needs to be to do any good.

Just a user interface issue?

Posted Feb 28, 2013 22:33 UTC (Thu) by Lennie (guest, #49641) [Link]

Forget I even mentioned it, I made a mistake in my thinking.

Just a user interface issue?

Posted Feb 28, 2013 22:14 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Doing it properly, including identity verification for people in arbitrary countries, with proper software and physical security for the keys? No, it's not cheap.

Just a user interface issue?

Posted Feb 28, 2013 22:59 UTC (Thu) by Lennie (guest, #49641) [Link]

If we forget for a moment that for this purpose doing a custom CA is not useful in this case... as I wasn't thinking properly.

Doing a secure custom CA needs these things, I guess ?
- processs/time/people
- physical security
- key security
- redundancy of the physical security - and key security solution

If you get yourself some cheap netbooks with a builtin TPM and install Linux on it you can then store two copies of your keys in two seperate safes possibly in different buildings. Then you have 3 things solved.

An east european TLD does this for their DNSSEC keysigning keys if I remember correctly. The zone singing keys are on a machine behind a firewall which is used to push updates to the publicly visible servers.

In DNSSEC the zone signing keys are used to sign the DNS data and key signing keys are used to sign the zone signing keys every couple of months.

Just a user interface issue?

Posted Feb 28, 2013 23:36 UTC (Thu) by raven667 (subscriber, #5198) [Link]

Take a look at the requirements for WebTrust to get an idea of some of the basic minimums of procedures that need to be followed, documented and audited.

http://www.webtrust.org/homepage-documents/item27839.aspx

Just a user interface issue?

Posted Feb 28, 2013 23:45 UTC (Thu) by Lennie (guest, #49641) [Link]

Depends what you use it for of course, but if you want to get into browers or a sub-CA then yes, WebTrust is where you can go.

I know if that is what you want, you need a lot of stuff done because I've been following what CAcert is doing.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds