Springe zum Hauptinhalt

Why a PKI is barely trustworthy

  • En­d­­-­­­point trusts any cer­ti­­fi­­ca­te from any CA con­­fi­­gu­red

    • fa­ke cer­ti­­­fi­­­ca­tes is­­­su­es by an­o­ther CA are a com­­­mon thread

    • mea­­­su­­­re "cer­ti­­­fi­­­ca­te pin­­­ning" on­­­ly stan­da­r­­­di­­­zed for HTTP (H­P­K­P, is now de­pre­­­ca­te­d)

  • Cen­tra­­li­­zed sys­tem

    • high de­­­mand for con­­­fi­­­den­ti­a­­­li­­­ty of CA pri­va­te keys

    • mea­­­su­­­re "in­ter­­­me­­­di­a­te cer­ti­­­fi­­­ca­tes" ma­kes sys­tem even mo­­­re com­plex and mo­­­re sys­tems de­­­man­­­ding high con­­­fi­­­den­ti­a­­­li­­­ty

  • Key Re­vo­­ca­ti­on cum­­ber­­so­­me

    • ba­­­sed on cen­tra­­­li­­­zed "black list"

    • Cer­ti­­­fi­­­ca­te Re­vo­­­ca­ti­on Lists (CRLs) gro­wing hu­­­ge quick­­­ly and need to be dis­tri­­­bu­ted to each en­d­­­-­­­­­point

    • OCSP (On­­­li­­­ne Cer­ti­­­fi­­­ca­te Sta­tus Pro­to­­­col) re­­­qui­res on­­­li­­ne connec­ti­on and ad­­­di­ti­o­nal ser­vi­­ces to be availa­­­ble 24/7

    • OSCP is a thread to pri­va­­­cy

  • Key re­­ne­wal does not re­vo­ke old key

    • if the old key is still va­­­lid (with in its li­­­fe­­­-­­­ti­­­me) and not on the CR­L, it can still be used

  • Com­plex to plan, de­ploy and run

  • No op­­por­tu­­ni­­stic use

    • Can eit­her be en­­­for­­­ced or not used at all.

    • Has no no­ti­on of "I sta­red com­mu­­­ni­­­ca­ti­on en­­­cryp­te­d, so I no lon­­­ger ac­­­cept un­­­en­­­cryp­ted mes­sa­­­ge­s"

    • No TO­­­FU (be­­­si­­­de now­­­-­­­­­de­pre­­­ca­ted HP­K­P)

Portrait von Hartmut Goebel

Hartmut Goebel

Diplom-Informatiker, CISSP, CSSLP, ISO 27001 Lead Implementer

Haben Sie noch Fragen?
Anruf oder Mail genügt:
  +49 871 6606-318
  +49 175 29 78 072
  h.goebel@goebel-consult.de