Domain: geotrust.com
Stories and comments across the archive that link to geotrust.com.
Comments · 20
-
Re:Well duh
If you think Etisalat is untrustworthy... keep in mind you too can have your very own privately branded CA through GeoTrust, Global Trust's Root Signing service, or QuoVadis / RSA's Root Signing Service.
You just have to meet their minimum financial net-worth and insurance requirements, policy requirements, and "compliance" guidelines.
The limiting factor is the cost of these services. If you are willing to pay enough, you can have your own CA.
The fact of the matter is, trust is not part of the equation.
X.509 CA / SSL Certificate cryptography practices are very broken.
-
Re:Secure?
GoDaddy High Assurance SSL.
Comodo Trusted SSL.
GeoTrust True BusinessID.
Business identity validation SSL certificates have been around for a long time. The only thing different about VeriSign's offering is that they're partnering with Microsoft to have the bar turn green if their more expensive cert is detected, to the disadvantage of all other SSL providers. This is an attempt by VeriSign to make it effectively necessary for businesses to use their cert so customers won't think that their site is insecure.
There's so much wrong with this attempt to gain a monopoly without adding anything of value to the market... but par for the course for VeriSign. -
These make sense
1) Maker Faire, Netizen, and Web 2.0 are all registered for a single use: Conferences. They named a conference and they should be allowed to protect that name. If someone started running their own thing and couldn't come up with a name so they called it E3 or PCExpo, you'd expect the holders of those trademarks to sue, no?
2) The "Website" trademark application was also for a single use, in this case "computer software used to create a server on a global computer network..". Apparently, O'Reilly used to make a piece of software called "Website Professional", and it was this uninspired name they were trying to protect. Again, color me unsurprised.
This entire argument has gone back and forth a million times already, so it's kind of pointless. People who are anti-trademarks will argue that this is word-squatting and that "netizen" and "web 2.0" are public domain words. People who aren't will argue that the trademarks only cover their original uses by O'Reilly and thus using the word(s) netizen on a website or a newspaper or even the cover of a best-selling book is not infringement. -
Geotrust hasn't revoked the phisher's cert yetCheck it out. Still listed. Doesn't even seem to be in the certification revocation database.
Let's quote what Geotrust says about relying on certificates:
GeoTrust's solution is that the browser should display
... "The name and logo of the CA who issued the certificate. Consumers will soon learn from news reports which CAs to trust and which CAs use sloppy procedures and should not be trusted."We should take Geotrust at their word. Now that we're certain that their procedures are sloppy and they can't be trusted, their certs should be pulled from all browers. New releases of Firefox should not contain root certs for Geotrust. They had their chance, and they blew it.
-
GeoTrust
The University of Wisconsin - Madison has deployed a campuswide PKI solution based on GeoTrust.
More information, with presentations and descriptions of our deployment:
http://doit.wisc.edu/middleware/pki/
UW/GeoTrust/EDUCAUSE joint press release:
http://doit.wisc.edu/middleware/pki/geotrustuwpki. asp
For more information about UW-Madison's PKI deployment, contact Nick Davis -
Inside informationI work on the server products in question, so I will use this opportunity to set a few things straight.
1) History. The Netscape/Sun (iPlanet) joint venture was dissolved in 2001, with both parties retaining intellectual property rights to all the collaborative code. AOL decided to pursue development of several server products, under the umbrella Strategic Business Solutions. In 2002/3, the product list was shortened, a new group was formed (Netscape Security Solutions), focussing on essentially CMS, Directory (NDS), and Enterprise server (NES). See http://enterprise.netscape.com
Netscape Communications Corp is a wholly owned subsidiary of Time Warner. The browser development always has been entirely independent of server development, except for use of the same facilities in Mountain View. We all reported into two completely different management chains. So, browser engineering layoffs and gecko development, while interesting, are largely irrelevent.
2) Sales/Support. Sales and Support are currently fully staffed for these products. Sorry, but these products never really fit into AOL's consumer strategy, that's just the facts of life. AOL just isn't known to be in the business of marketing server software (although they have a great need for it internally). AOL did the right thing for their customers by selling off these products to a company who is more able to give them the development they deserve.
3) Continuing development after iPlanet. Sun had versions of NDS, CMS, NES. Soon after, they shortly killed their CMS development. Sun has indeed done a great deal of development of their Directory Server, but we have taken the product in a different direction.
There has been a lot of development at Netscape in the years since iPlanet. The code bases are very different.
4) Directory Server (NDS). Lots of people are asking "Why not use OpenLDAP?". This is really a question of the size of your deployment. NDS scales far, far better than OpenLDAP, has multi-master replication to provide high availability. These aren't trivial features, and have taken significant development time to get right, with thousands of hours of coding and test case development. Moreover, NDS ships in mission-critical systems as part of HP-UX.
5) CMS - People don't generally know this, but CMS is THE Certificate authority run by the Department of Defense. That's right, DoD has many CA's installed within their organization, and every one is CMS. That's over 10 million certs issued in the last 4 years for one single deployment. So, I found this slashdot comment particularly funny:
I use XCA and find that it suits my needs fine. I manage between 20-30 certificates with it.
Somehow, I think anyone seriously considering more substantial PKI deployments, may consider CMS.
Geotrust is also a huge deployment of CMS - issuing more certs than Verisign, these days. See this link.
CMS supports FIPS approved hardware crypto devices
CMS is Common Criteria certified (http://niap.nist.gov/cc-scheme/vpl/vpl_type.html# cimc) to evaluation level 4 (the highest level possible). You can say what you like about Common Criteria, but the fact is that it takes considerable effort, adds value, and, moreover, is required to sell into the federal government space.
CMS has huge amount of auditing capability.
Not to mention that CMS is just more secure, scalable, performant, and highly-reliable than any other CA out there.
There so much more in upcoming releases.
-
Re:We need certificates with teethSome relying party agreements, with notes:
- GeoTrust. No warranty. Certificate worthless. Reject.
- Entrust Disclaims all warranties. Certificate worthless. Reject.
- Pttrust This one is very funny. There are some notes at the bottom about links that need to be fixed up. But generally follows Verisign's approach, with warranties. Probably OK.
- DigiSign. Certificate quality varies. Some are validated, some aren't. Probably best to reject.
- Thawte Certificate quality varies. Only High Assurance certificates should be accepted.
-
Most commercial certs are worthlessMost certificates certify nothing. The issuer guarantees nothing, and the "relying party agreement", if you can find it, promises very little, if anything.
For example, see the TrueSite Relying Party Agreement. "The Service is provided on an as-is basis without warranties of any kind".
Even Verisign's Relying Party Agreement, while it does offer some warranties, has a complicated scheme for weaseling out of Verisign's obligation to verify the certificate holder's identity. The relying party agreement refers you to the CPS Section 11, says "Issuing authorities (and VeriSign, to the extent specified in the referenced CPS sections) warrant and promise to
... perform the application validation procedures for the indicated class of certificate as set forth in CPS Section 5, Validation of Certificate Applications." There, Verisign says "The IA shall confirm that ... the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI)." The linked definition of "nonverified subscriber information" is "Information supplied to a certification authority as part of a certificate application". So Verisign doesn't actually stand behind any of the information in their certificates.This is much weaker than a signature guarantee by a commercial bank, where the bank guarantees to other parties that the person was properly identified. But it costs more.
I'd like to see banks belonging to Visa International and MasterCard issue digital certificates, and require that their certificates had to be on a page that accepted their credit cards. Certificates from banks would actually be worth something.
-
Re:The broken-ness of emailMTA licensing can be based on digital certificates.
Consider the current practice of SSL certificates, required for "secure" web sites.
A small handful of companies have enriched themselves, issuing the certificates. But at $125/year (and up), the cost is high per site. So many sites share a "wildcard" certificate issued to their ISP. Few (if any) ordinary users know to check the certificate before trusting a website's security, so the verification that the receipient of your sensitive info is ambigious. Over time, certification authorities have cut costs, with the result that it's quite easy to get a certification with fake info, and there's virtually no verification after initial issue, despite having to pay nearly full price to renew every year. Worst of all (for the integrity of the system) are newcomers like GeoTrust who will issue a cert in only minutes with no real verification at all (other than easily faked domain name registry info).
THAT is the sorry state of SSL certification, despite the high price of certs which should be more than enough to cover the costs to truely verifying the identity of every entity. All in all, SSL certs today mean very little... other than enriching a very untrustworthy (Verisign) to the point where they could buy Thawte and obtain a near monopoly.
Why would MTA licensing somehow be any better?
-
Re:Boycott Thawte (Verisign's SSL subsidiary)
Hey, you're misquoting the GeoTrust.com web site... they're compatible with 98% of all browsers, not 90%... there's a huge difference.
Especially considering those 'big players' are barely any better. This (somewhat outdated) page on Verisign's web site even claims that their own Verisign root certificates are present in only 98% of the browsers available.
So 98% compatibility for GeoTrust certificates and 98% compatibility for Verisign certificates... would you pay more for the Verisign certificate?
And Thawte's root cert only shipped with IE 3.01 and 3.02 of the IE 3's... and those Thawte root certs expired in 1998, so they don't do you much good unless you've installed newer ones... but if your installing new root certs in your browser, why not install the GeoTrust ones? IE4 on the Mac also has the same root cert expiration problem.
So, yes, using a Thawte SSL cert will allow SSL connections without the little warning message on a few more browsers on certain platforms. But do you think someone running a piece of crap browser from 4+ years ago is going to get worried about a warning message saying the authenticity of a certificate cannot be verified? They probably can't even see half the sites they visit, and get a barrage of javascript errors on every page they go to (remember those?)... what's one more little warning message to click through? -
More Verisign Shenanigans and Tomfoolery
On one hand, Verisign wants us to believe they are sufficiently trustworthy to extort as much as USD1595.00 from us for a handful of 1's and 0's (SSL Certificates), and on the other they expect to be able to get away with the dispicable, annoying business practice of hijacking users' web requests? This is annoying enough as it is with opportunistic larrikins buying up misspelt domains, without the custodian of the database abusing its' position by returning effectively forged replies to queries for domains which do not exist. Reminds me of their recent foray into the domain 'Back-Order Domain Acquisition Service business.
I guess with competitors closing the gap by offering virtually the same thing for a fraction of the price, they must be getting desparate. -
More Verisign Shenanigans and Tomfoolery
On one hand, Verisign wants us to believe they are sufficiently trustworthy to extort as much as USD1595.00 from us for a handful of 1's and 0's (SSL Certificates), and on the other they expect to be able to get away with the dispicable, annoying business practice of hijacking users' web requests? This is annoying enough as it is with opportunistic larrikins buying up misspelt domains, without the custodian of the database abusing its' position by returning effectively forged replies to queries for domains which do not exist. Reminds me of their recent foray into the domain 'Back-Order Domain Acquisition Service business.
I guess with competitors closing the gap by offering virtually the same thing for a fraction of the price, they must be getting desparate. -
Re:Good ideaThat wouldn't help
... I don't trust VeriSign! :-)Seriously, though
... eNIC (part of VeriSign) has seriously screwed up one of my DNS server's glue records under one of our .CC domain names! We had to renumber our network (our ISP finally got their own IP space) and I sent the request in through their web control panel. Yes, they did add the new IP address glue record, but they kept the old one! So now our DNS server's glue record points to two IPs -- one which works and one which doesn't. (And we do host a lot of sites, so I'm sure users are starting to feel the lag.)I've been trying to resolve this situation for TWO MONTHS now, and no one at eNIC seems to have a clue. Ignored most of my mail until I sent a somewhat-nasty one to them and threatened to change registrars, and they claim to have made the fix. (However, ns1.globaldns.com and others have yet to show that up, and it's been almost a week.)
I'll be SO glad when management finally approves the switch to OpenSRS (RSN!) so we can get away from VeriSign... I'm beginning to prefer to deal with GeoTrust for SSL instead (none of that "fax us your business license" garbage
... and it's a 10-minute deal.) -
Re:Character?
They don't even verify your identity. These guys just ask for your email address, and if it's "webmaster" (or 10 other common user names) then you get the cert in the mail!
-
Re:Cheapass trusted SSL certs
Geotrust's $119 certificates are validated only by emailing the WHOIS admin contact, (at least according to the CPS, which you would expect to be correct. See esp. B.1 and B.2.
InstantSSL's $49 SSL certificates do validate the organisation, not just the control of the domain. See their CPS esp. 4.3 and 6.4.
Disclaimer: I work for Comodo, which does the validation for InstantSSL, although I am not involved in the process myself. However although I like Comodo, and they pay my wages, I don't speak for Comodo (hence posting anonymously), and am soley responsible for the content of this message.
By the way, they also do free email certificates (identity not validated) which other people charge $10-$20 for.
-
Re:Cheapass trusted SSL certs
Geotrust's $119 certificates are validated only by emailing the WHOIS admin contact, (at least according to the CPS, which you would expect to be correct. See esp. B.1 and B.2.
InstantSSL's $49 SSL certificates do validate the organisation, not just the control of the domain. See their CPS esp. 4.3 and 6.4.
Disclaimer: I work for Comodo, which does the validation for InstantSSL, although I am not involved in the process myself. However although I like Comodo, and they pay my wages, I don't speak for Comodo (hence posting anonymously), and am soley responsible for the content of this message.
By the way, they also do free email certificates (identity not validated) which other people charge $10-$20 for.
-
Re:Cheapass trusted SSL certs
Geotrust's $119 certificates are validated only by emailing the WHOIS admin contact, (at least according to the CPS, which you would expect to be correct. See esp. B.1 and B.2.
InstantSSL's $49 SSL certificates do validate the organisation, not just the control of the domain. See their CPS esp. 4.3 and 6.4.
Disclaimer: I work for Comodo, which does the validation for InstantSSL, although I am not involved in the process myself. However although I like Comodo, and they pay my wages, I don't speak for Comodo (hence posting anonymously), and am soley responsible for the content of this message.
By the way, they also do free email certificates (identity not validated) which other people charge $10-$20 for.
-
Re:The Irony
-
Re:Perfectly suitable price
-
Re:Low cost certs
Another ~$120 SSL certificate vendor is here.