[CentOS] To James B. Byrne

James B. Byrne byrnejb at harte-lyne.ca
Wed Nov 12 14:26:07 UTC 2014


On Tue, November 11, 2014 13:05, Alexander Farber wrote:
> And ignore the Chrome people getting
> the certificate warning at https://harte-lyne.ca too ;-)
>

We operate our own CA.  If you 'TRUST' us then you can add the the root cert
for our CA by visiting  http://ca.harte-lyne.ca/CA_HLL_ISSUER_01/ca.crt and
accepting the cert (presumably after reading the CP and CPS statements).  Then
the warning will disappear.  If not then you can leave or proceed, accepting
the exception permanently or not,  as your inclination dictates.

That web site is ancient and was designed for straight http access. It is in
the process of revision but that is not in my hands and given past events I
have no expectation of anything changing soon.  We have since gone to "https
everywhere" and thus the certificate is now an issue.  Most of our sites are
blocked to outside access or require authentication in any case.

That said, the issue of Trusted certificates is problematic. In my opinion,
the present state of the PKI CA's is in such disarray that anyone that is
counting on the 'Trusted' CA's that come pre-installed in browser packages is
living in blissful ignorance of the underlying risks presented thereby. Users
are rarely aware, or realise the implications, of the fact that any 'Trusted'
CA can issue a valid certificate for ANY domain. Any browser that 'Trusts'
that CA will accept any site presenting said certificate as legitimate.  This
is the singular weakness of imposing a hierarchical requirement on top of a
distributed solution.  DNSSEC is representative of the alternative approach
that I believe eventually will be adopted for all forms of network identities,
including email.

Our company policy at the moment does not properly address the Trusted CA
issue either;  Other than we have set up and exclusively use our own CA for
our own use.  I am pushing to have all default trusted roots removed from all
user's browsers and only approved roots added back.  This is not feasible at
the present time because of the lack of any automated tool (of which I am
aware and that is FLOSS) to enforce it.

For that matter, we are still waiting for our registrar to support DNSSEC, for
which we have been ready since early 2012 and the .ca. registrar since 2013.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




More information about the CentOS mailing list