[squid-users] What's the best way to ban Let's encrypt based certificates? or whitelist a very narrow list of Root and Intermediates CA?

Eliezer Croitoru eliezer at ngtech.co.il
Wed Jan 23 06:59:57 UTC 2019


OK so,

Every Root CA have differ level of certification.
For example there are Root CA's which are allowed to sign only for encryption
...and basic domain ownership validation which can be verified against a Domain Regristrar.
Compared to this there are couple other level's of Certificates like what is name "EV" (the one of banks and such critical ORG's).
Let's encrypt brings to domain ownership the ability to being verified as the domain owner or it's proxy.

The Root CA that the bank of America uses has the license to offer not only encryption but also:
* Ensures the identity of a remote computer
* Proves your identity to a remote computer
* Protects e-mail messages
* Ensures software came from software publisher
* Protects software from alteration after publication
* Allows data to be signed with the current time

Compared to Let's encrypt that is an intermediate CA with the next license:
* Protects e-mail messages
* Ensures the identity of a remote computer
* Proves your identity to a remote computer
* Allows data to be signed with the current time
* Allows data on disk to be encrypted
* 2.23.140.1.2.1
* 1.3.6.1.4.1.44947.1.1.1
* Document Signing

Which doesn't includes:
* Ensures software came from software publisher

Which is critical for ISO bounded web services.

In another words:
If the certificate is not EV ie the name of the corporation or business it means that it's not ISO compliance regarding
paying using a credit/visa/other card.

So if you are going to pay to someone over the Internet only pay if you know and validated the identity of the owner and\or orginzation.
This concept was introduced to prevent phishing and other things.
One of the exception I have seen is Paypal main site which does have EV named license/certificate but the name is not embedded into the certificate so I prefer not to buy in this specific site but buy locally.

All The Bests,
Eliezer

* For others paypal might be good enough... 

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Andrea Venturoli
Sent: Monday, January 21, 2019 10:51
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] What's the best way to ban Let's encrypt based certificates? or whitelist a very narrow list of Root and Intermediates CA?

On 1/20/19 11:02 PM, Eliezer Croitoru wrote:

> The issue is that these sites are encrypted but do not offer any way 
> of assuring real ISO and couple other compatibilities of the ORG.
> 
> For a simple home user it’s fine most of the time but for some it’s not.

Just out of curiosity, could you better explain this?
Pointer are enough if you prefer.

  bye & Thanks
	av.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list