CA Честного Ахмеда

Что: a51af292b9189b78a6b3a8341a525176b5c4b3ba

Когда: 2021-08-03 22:03:49+03:00

Темы: crypto dns fun

CA Честного Ахмеда

https://bugzilla.mozilla.org/show_bug.cgi?id=647959
Из https://security.stackexchange.com/questions/53117/what-trusted-root-certification-authorities-should-i-trust
узнал про про такой замечательный, но отвергнутый Mozilla удостоверяющий
центр Честного Ахмеда. I like it! (C) Borat Sagdiev

    1. Name
    Honest Achmed's Used Cars and Certificates

    2. Website URL
    www.honestachmed.dyndns.org

    3. Organizational type
    Individual (Achmed, and possibly his cousin Mustafa, who knows a bit about computers).

    4. Primary market / customer base
    Absolutely anyone who'll give us money.

    5. Impact to Mozilla Users
    Achmed's business plan is to sell a sufficiently large number of
    certificates as quickly as possible in order to become too big to
    fail (see "regulatory capture"), at which point most of the rest of
    this application will become irrelevant.

    6. CA Contact Information
    achmed@honestachmed.dyndns.org

    Technical information about each root certificate

    1. Certificate Name
    Honest Achmed's Used Cars and Certificates

    2. Certificate Issuer Field
    Honest Achmed's Used Cars and Certificates

    3. Certificate Summary
    The purpose of this certificate is to allow Honest Achmed to sell
    bucketloads of other certificates and make a lot of money.

    4. Root Certificate URL
    www.honestachmed.dyndns.org/cert.der

    5. SHA1 fingerprint to 10. Signing key parameters
    See the certificates.

    11. Test website URL - 14. OCSP (OCSP is required for EV enablement)
    https://www.honestachmed.dyndns.org /
    www.honestachmed.dyndns.org/chain.p7s /
    www.honestachmed.dyndns.org/crl.der /
    www.honestachmed.dyndns.org/ocsp.asp

    15. Requested Trust Bits
    All of them of course.  The more trust bits we get, the more certificates we can sell.

    16. SSL Validation Type
    All of them.  The more types, the more certificates we can sell.

    CA Hierarchy information for each root certificate

    1. CA Hierarchy
    Honest Achmed plans to authorise certificate issuance by at least,
    but not limited to, his cousin Osman, his uncles Mehmet and
    Iskender, and possibly his cousin's friend Emin.

    2. Sub CAs Operated by 3rd Parties
    Honest Achmed's uncles may invite some of their friends to issue
    certificates as well, in particular their cousins Refik and Abdi or
    "RA" as they're known. Honest Achmed's uncles assure us that their
    RA can be trusted, apart from that one time when they lent them the
    keys to the car, but that was a one-off that won't happen again.

    Verification Policies and Practices

    1. Documentation: CP, CPS, and Relying Party Agreements
    Honest Achmed promises to studiously verify that payment from anyone
    requesting a certificate clears before issuing it (except for his
    uncles, who are good for credit).  Achmed guarantees that no
    certificate will be issued without payment having been received, as
    per the old latin proverb "nil certificati sine lucre".

    2. Audits
    Achmed's uncles all vouch for the fact that he's honest.  In any
    case by the time he's issued enough certificates he'll be regarded
    as too big to fail by the browser vendors, so an expensive audit
    doesn't really matter.

    3. SSL Verification Procedures
    4. Email Address Verification Procedures
    5. Code Signing Subscriber Verification Procedures

    See (1).

    Response to Mozilla's CA Recommended Practices

    Honest Achmed promises to abide by these practices.  If he's found
    not to abide by them, he'll claim it was a one-off slip-up in
    procedures and that policies have been changed to ensure that it
    doesn't happen again.  If it does happen again, he'll blame it on
    one of his uncles or maybe his cousin, who still owes him some money
    for getting the car fixed.

оставить комментарий

Сгенерирован: SGBlog 0.34.0