[squid-users] What's the best way to ban Let's encrypt based certificates? or whitelist a very narrow list of Root and Intermediates CA?
Eliezer Croitoru
eliezer at ngtech.co.il
Wed Jan 23 19:47:08 UTC 2019
Amos,
Thanks for the feedback.
Now that we write about the subject in clear text it's making things a bit clear.
I wasn't sure about the purpose of the helpers to begin with.
As you wrote before, for specific use cases these X.509 properties are what this specific organization need to verify.
>From my point of view most users(non-technical) are yet to understand these properties good enough and these are things
that us and our kids needs to learn about the Internet: "not every Encrypted traffic means secure!".
Specifically Let's encrypt makes sure that the world of encryption will be more popular and there for more secure.
So +*2 for them but still the point stays with then that encryption might not always be the right way.
SFTP ,MS and OpenSSL + others proved that encryption is a must in our world but not always the right answer.
..Also DNSSec and/or EDNS makes this picture much clear.
Eliezer
* If I missed someone it's because there are too many to say thank you to/for.
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Wednesday, January 23, 2019 12:57
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] What's the best way to ban Let's encrypt based certificates? or whitelist a very narrow list of Root and Intermediates CA?
On 23/01/19 7:59 pm, Eliezer Croitoru wrote:
> OK so,
>
> Every Root CA have differ level of certification.
> For example there are Root CA's which are allowed to sign only for encryption
> ...and basic domain ownership validation which can be verified against a Domain Regristrar.
> Compared to this there are couple other level's of Certificates like what is name "EV" (the one of banks and such critical ORG's).
> Let's encrypt brings to domain ownership the ability to being verified as the domain owner or it's proxy.
>
> The Root CA that the bank of America uses has the license to offer not only encryption but also:
> * Ensures the identity of a remote computer
> * Proves your identity to a remote computer
> * Protects e-mail messages
> * Ensures software came from software publisher
> * Protects software from alteration after publication
> * Allows data to be signed with the current time
>
> Compared to Let's encrypt that is an intermediate CA with the next license:
> * Protects e-mail messages
> * Ensures the identity of a remote computer
> * Proves your identity to a remote computer
> * Allows data to be signed with the current time
> * Allows data on disk to be encrypted
> * 2.23.140.1.2.1
> * 1.3.6.1.4.1.44947.1.1.1
> * Document Signing
>
Those listed things above sound like the X.509 certificate 'use'
properties are what you actually need to be checking. Am I right?
> Which doesn't includes:
> * Ensures software came from software publisher
>
> Which is critical for ISO bounded web services.
>
> In another words:
> If the certificate is not EV ie the name of the corporation or business it means that it's not ISO compliance regarding
> paying using a credit/visa/other card.
>
> So if you are going to pay to someone over the Internet only pay if you know and validated the identity of the owner and\or orginzation.
> This concept was introduced to prevent phishing and other things.
> One of the exception I have seen is Paypal main site which does have EV named license/certificate but the name is not embedded into the certificate so I prefer not to buy in this specific site but buy locally.
>
A validator which checks for existence or non-existence of certain X.509
permissions would be the better approach instead of a curated whitelist
of CA names. That way;
* you are not limited to whitelisting and its inherent "human error" or
incompleteness component biasing for/against any particular CAs,
* you can publish the required criteria for transparency,
* CAs can choose for themselves whether they adjust certs permissions
to be blocked or un-blocked without involving any tricky politics to
lower your required standard of proof.
Some CAs might for example have a special root CA with restricted
policies to comply with the ISO requirement, and another for their wider
use.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list