Slashdot Mirror
Open Source SSL Cert Server?
EraseMe asks: "I have a great idea for an open source project, but I don't know where to begin. I'm tired of paying large cash for SSL Certifications from companies such as VeriSign. It would be great to provide companies and individuals with free certifications, with one central server providing the solution. I would imagine this wouldn't be terribly difficult to implement over exisiting applications such as OpenSSL and mod_ssl." This would be a cool idea, but if the certs are free, how would such an entity stay afloat and pay for things like servers, office space and bandwidth?
Netscape will recognize the certificate after a one time 5 button click through. IE4 will let you add certificate publishers to a trusted list, otherwise you have to click accept every time you access the site.
Scuttlemonkey is a troll
http://www.openca.org/
Check them out.
--
The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
First, a nitpick. Most "Open source" software is in fact available for the price of a 'net connection, but that's also true of Netscape, IE, and buttloads of other software. So stop saying "Open Source" when you seem to mean "free as in beer."
The central issue, it seems to me, is whether you can balance the cost-effectiveness of the SSL certification service (even if it's free to the users, you'll still require resources which will have to be donated or funded by members of the community) with the level of security. The problem is that running responsible checks on the certificate applicant can be fairly costly. VeriSign and Thawte come and visit your location to make sure it's all kosher, don't they? That's expensive ... how do you provide a similar level of verification of security with different methods?
"Oh, I hope he doesn't give us halyatchkies," said Heinrich.
Sorry that you "detest" it, but there's really no way around the problem. I know it may be hard for people here to grok the idea of a problem that cannot be solved by group collaboration and the free and unbridled exchange of ideas, but they do exist, and this is one of them.
Think about what you are saying: "I detest the fact that you have to pay a Trusted Certificate Authority before you can seamlessly secure these sites." The only way to seamlessly secure "these sites" is to have someone who proactively ensures that these sites are who they say they are (the Trusted Certificate Authority). If you've ever purchased an SSL cert before, you know what an arduous process this is - typically three or more separate forms of identifcation are required, articles of incorporation, etc. Verifying that you are actually "you" is a costly and time consuming thing, and barring an unusally pious CA, someone is going to charge you to do it. The money you pay ensures that they are issuing certs with truthful and correct data on them.
The alternative is not a pretty picture. OpenCA will not, and should not, "get into" the Trusted CA list of browsers because it isn't. They do not perform identity checking (at least as far as I can tell based on a cursory glance at their signup page). Telling several million browsers to take anything OpenCA tells them as gospel is just asking for disaster. It would essentially be like authorizing the DMV to sell photo IDs with whatever information you ask for on it - you can be anyone, any server, any thing, and as long as OpenCA is "trusted," no one can tell the difference.
This may not seem like a big deal now, but it will be in the very near future, when one's digital certificate signature carries the same legal force as a handwritten one (this will happen). Scrutiny on digital certs needs to be increased, if anything. They shouldn't be handed out like candy.
--
I think there is a world market for maybe five personal web logs.
OpenSSL can function as a cert server just fine out of the box. The key issue here is trust.
Web browsers and other software using SSL only allow clean passage of certificates from cert authorities for which the master cert for that authority is present. When you get a mainstream we browser, it comes with keys installed for Verisign, Thawte, Deutsche Telekom, Equifax, GTE and a number of other signing authorities.
You can add more signers yourself. If you're deploying browsers for a company/school/organization extranet, for example, you can hand out browsers with your organization's master cert installed, and the browser will happily accept the certs you issue, with no money going to a Verisign, Thawte, etc.
Thing is, in order to get into the master list of signer certs that get bundled with the major browsers, your signing authority has to be considered fully trustworthy. That means you have to be able to vouch for the authenticity of every cert you issue. Verisign and Thawte do that by doing a verification of the info provided by an applicant. That generally costs a bit of money and labor. But then there's the CA's bigger expense: covering themselves in case of liability. A Verisign or Thawte cert, level 3 or higher, costs money because Verisign and Thawte are outting their necks on the chopping block if they issue a false cert. They are liable for fraud committed with a false certificate. Remember: when a browser passively accepts a cert, it isn't just signifying that encryption is taking place. It's telling you that the site (or personal) certificate is correct, that if the cert is claimed to be from Spumco at 123 Main Street, it really is Spumco's cert.
The best you could really hope to put together is a non-profit CA. You can't get rid of significant cost altogether. Insurance costs money.