'Re: Who do you trust? (What CA's do you trust?)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Who do you trust? (What CA's do you trust?)
From:       Wai Choi <wchoi () US ! IBM ! COM>
Date:       2020-02-21 22:36:41
Message-ID: OF4BEABB79.2F6063AB-ON00258515.007A95B9-85258515.007C35A3 () notes ! na ! collabserv ! com
[Download RAW message or body]

An interesting title: Malware and HTTPS – a growing love affair

https://nakedsecurity.sophos.com/2020/02/18/malware-and-https-a-growing-love-affair/

Hosting your own CA has an advantage.

Regards,
Wai 

Wai Choi - RACF/PKI Design and Development



From:   Wai Choi <wchoi@US.IBM.COM>
To:     RACF-L@LISTSERV.UGA.EDU
Date:   01/31/2020 03:57 PM
Subject:        [EXTERNAL] Re: Who do you trust? (What CA's do you trust?)
Sent by:        RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>



Charles,

Even for those CA certs shipped with RACF, the client side still needs to 
'beg' the RACF people to change the status, create a keyring and connect 
the CA cert to it, if  virtual keyring is not used.

I think if the reason offered for the "we don't want that certificate in 
our ring" objection is not trusting that CA cert according to the 
cooperate policy, the administrator is doing the right thing. Adding a CA 
cert to a keyring is a security consideration, it should be handled 
carefully. As long as the cooperate policy indicates it is a trusted CA, 
the RACF group should not reject to use it. 

It is not up to the application owner or the RACF admin to debate 
personally whether a CA should be trusted. But they can make the 
suggestion to make up the trusted CA list in the cooperate policy which 
everyone has to follow.

Regards,
Wai 

Wai Choi - RACF/PKI Design and Development




From:   Charles Mills <charlesm@MCN.ORG>
To:     RACF-L@LISTSERV.UGA.EDU
Date:   01/31/2020 01:59 PM
Subject:        [EXTERNAL] Re: Who do you trust? (What CA's do you trust?)
Sent by:        RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>



Wai, of course what you say is correct, but having to install a CA
certificate is an obstacle to a POC. The guy or gal who is responsible for
the application has to go and beg the RACF people to install the
certificate.

Plus as you mention there is the "we don't want that certificate in our
ring" objection, which cannot happen if it is already installed.

Charles


-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of 
Wai
Choi
Sent: Friday, January 31, 2020 10:47 AM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: Who do you trust? (What CA's do you trust?)

Charles,

Before v2r3 RACF shipped 26 CA certificates. Most of them are 'well-known' 


CAs.  Two of them are IBM code signing CA's. 

The rationale is to simplify the SSL/TLS set up for the customers who 
happen to trust the CA's on the list. They only need to alter the status 
of the certificate to TRUST since all these certificates are shipped with 
NOTRUST status.

  But there are customers who do not want to have these CA certificates in 


their system even they have the NOTRUST status. Someone may accidentally 
alter the TRUST status. 
 
  From the convenience point of view, it is difficult to maintain a list 
of well known CA's nowadays as the number of CA agencies is growing, and 
there are multiple certificates under each    agency. It is hard to know 
which one will be commonly used by the customers in general. 

IBM does not endorse any CAs. It is not the responsibility of individual 
application owner to decide which CA to trust. This should be in the scope 


of cooperate policy. The one who is responsible for setting up the 
cooperate policy is the one to decide which CA to buy certificates from, 
just like any hardware/software purchases, or even use some in-house CA to 


generate certificates for internal use or for communicating with business 
partners.

The right approach is not to guess what CA is already in the clients' 
keyrings, but send the root CA of the server certificate to the clients 
and request them to install that CA, if they decide to communicate with 
your server, according to their cooperate policy. Before the communication 


can happen, you need to send the information to the client, like the 
domain name / ip address/ port number, right? For secure communication, 
you just need to send the root CA cert also.

Regards,
Wai 

Wai Choi - RACF/PKI Design and Development




From:   Charles Mills <charlesm@MCN.ORG>
To:     RACF-L@LISTSERV.UGA.EDU
Date:   01/30/2020 06:07 PM
Subject:        [EXTERNAL] Who do you trust? (What CA's do you trust?)
Sent by:        RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>



X-posted IBM-MAIN and RACF-L.

 

Who do you trust? What CERTAUTH certificates do you have installed and
trusted?

 

I am contemplating purchasing an FTP server certificate for z/OS client 
FTP
access. I'd like to know which CA's are most likely to already be 
installed
in customers' CERTAUTH keyrings.

 

IBM used to ship certificates for VeriSign, Thawte, Integrion, Entrust,
Equifax and ICP. Are those still popularly-trusted CAs?

 

What about Comodo? They are the largest CA. What about GoDaddy? What about
Let's Encrypt, the no-charge CA?

 

There's been a lot of consolidation. Equifax is GeoTrust is VeriSign. 
Thawte
and Symantec are now DigiCert. 

 

Thanks,

 

Charles

 






[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic