Cynics at Large The Cynical Certificate Hierarchy

This is Perry's department, so don't blame the other Cynics. They were forced to go along. In fact, I didn't even ask them.

So Why Did I Do it?

Out of a combination of reckless exuberance and calm deliberation. I have several reasons, some of them good and some others merely interesting:

How Did I Do It?

It wasn't that hard, really. The people working on OpenSSL did all the hard work. I just put together a few dozen shell scripts, a few hours of design and testing, and some research - some interesting, some tedious - to make a certificate authority (CA) package good enough for us. It's not industry strength - it doesn't have the performance to manage tens of thousands of certificates, and it has no public face, almost no web view. But that suits me perfectly, because it ensures that I manually sign and revoke each certificate, hopefully after considering what I'm doing.

What's With That Cyberspace Thing in Your Certificates?

X509 requires that each certificate be tied to a distinguished name, which is made up of hierarchical geographic fields such as country, organizations, and so on. That works okay for people and perhaps legal entities, but hardly means anything for more abstract entities. So I just decided to locate my signing certificate in a state called Cyberspace. This should really not unduly disturb you.

Isn't This a Bit Overdone?

Well, yeah, I suppose so. But much of the madness has method. For example, the separation between root and signing keys means that the root key is only used about once a year and can thus be kept completely offline. The signing key is used more often, but if it gets compromised, I can get the root key to securely revoke it. This extra level of indirection also allows for clean separation between our certificates and any that are issued to third parties.

Anyway, I don't pay by the certificate, and all my certificates are first class and just as good as I can make them. The current arrangement allows for easy and flexible expansion, and who cares if the computers have to work a bit harder? Surely not I.

This arrangement also leaves you with a very flexible choice for your granularity of trust. The higher in the hierarchy you place your trust, the more certificates you automatically include in your trust.


About This Site 24 Jul 2005 12:41