dshieldlists at versateam.com
Sat Dec 6 18:33:49 GMT 2003
Speaking of certificate hierarchy, a bit of snooping shows that the
issuer of the "Microsoft Secure Server Authority" certificate is
something called "Microsoft Internet Authority" which is in turn issued
by GTE CyberTrust, which is one of the builtin certificate authorities
for Mozilla. This hierarchy seems to be legitimate, that is, if we trust
GTE CyberTrust, we deduce that the Microsoft Internet Authority is
legit, and in turn we deduce that the "Microsoft Secure Server
Authority" is legit.
I personally don't "trust" any of the authorities too far. I trust the
certificates, though (to a certain extent): once a certificate is issued
by a third party, it becomes virtually impossible to change. So I can be
fairly confident that a certificate used for two separate signatures (or
SSL connections), say three weeks apart, is the same certificate --
which in many cases is all I really need to know.
By my way of thinking, "betaplace" would be on probation for weeks or
months before I trusted it very far. If the certificate is persistent,
that would gradually increase my confidence that I am dealing with the
same site each time I visit; by the same token, if the certificate
changed, that would be a warning to stop and decide whether something is
wrong. (Yes, this does assume that the server used by betaplace is
secure, but trusting or not trusting a certificate has nothing to do
with detecting a compromise!)
The one thing I found confusing about this is that Mozilla's Certificate
Manager doesn't seem to handle certificate authorities (CAs) that are
three levels down from the root the way I would expect. That is, if I
add the certificate for the "Microsoft Internet Authority" with the
Certificate Manager, it fits in nicely under GTE CyberTrust, but the
"Microsoft Secure Server Authority" (which it issued) is still not
trusted as an authority. If I then add the "Microsoft Secure Server
Authority" certificate as a trusted authority, it goes into its own slot
with an empty parent, not into the GTE CyberTrust hierarchy with
"Microsoft Internet Authority" as a parent, which is what I expected.
Or maybe there's some standard that says that a CA hierarchy should
never be three deep?
Anyway, now to go remove those authorities from the certificate manager
again. Like I said, I don't trust CAs very much. :-) I'd much rather
be warned when going to a site like that, than add the certificate to
the certificate manager and become complacent.
Johannes B. Ullrich wrote:
>Preamble: This is a very confusion issue. In order to avoid more
>confusion, I am sending this post ahead of other replies. I usually
>don't hold other posts back. But I would like to avoid confusion.
>All other posts, if they agree or not, will be approved shortly.
>'www.betaplace.com' is an authentic site operated by Microsoft.
>However, I agree that it is confusing. The 'https' version is using an
>SSL certificate, which is signed by
>"Microsoft Secure Server Authority". My browser
>(Mozilla), does not include this as a trusted certificate.
More information about the list