Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thawte Protects The World From Crypto

Posted by timothy on from the strange-goings-on dept.

nutsaq writes: "Thawte.com, a South African Certificate Authority, in a move of astonishing wrong-headedness, has inexplicably changed it's developer certificate policy. To quote from the site: 'Due to current world circumstances developer certificates can no longer be issued to individuals.'Sucks to be working with crypto these days. Apparently I'll get no help from Thawte to encrypt stuff, oh wait, I didn't need it, the browsers did."

13 of 179 comments (clear)

  1. Thawte are still .za... by wangi · · Score: 3, Informative
    While they might be based in South Africa they're just a sub-division of Verisign now (and for a while):
    http://www.thawte.com/corporate/cps/privacy.html
    So I wonder what Verisign will be doing...

  2. Re:Individuals testing before corporations buy. by windex · · Score: 3, Informative

    Oh but you CAN experiment with the technology. See, all they are is a certificate authority. OpenSSL, for example, has a fairly robust (but not recomended for mass comercial use) facillity for doing the same exact thing they do. Check the OpenSSL documentation for the 'ca' subset of commands. Sure, you'll have to install your own root cert to test it out, but at least that won't stop you from doing the testing itself.

  3. There is an open hub of sorts.... by friedmud · · Score: 3, Informative

    If you use GnuPG (GPG) - you can create your own circle of trust.

    You sign your own certificates (verifying them over the phone or through some other means) and then you in turn publish your keys to open key servers around the world.

    The more places your identity exists the harder it is for someone to steal it - that is why Slashdot allows you to put your public key into your account (you can see the box for it just below the signature box)

    The key servers are run mostly by institutions around the world (I think Stanford is a main hub here in the US) - they basically hold a bunch of public keys that have been signed.

    So this story isn't a big deal for jo shmoe because if you need to securely transfer something from yourself to someone else you can do that for free using GPG.

    So let the companies have their closed ring of trust and you can create your own.

    Derek

  4. Re:Certificate Authorities by euphline · · Score: 3, Informative
    Thawte, and others, pay a tremendous amount of money to M$ to get their root-certs installed with the OS

    This is no longer the case. Microsoft has changed their policy on this for the time being. CAs pay nothing...

    On the other hand, CAs must pass a WebTrust CA audit in order to get on the list. WebTrust audits are extremely expensive. Of course, they serve a useful purpose. They serve to give the end user some sense of confidence that the CA does due dilligence in determining that "you are who you say you are" before issuing a certificate. There is a very small group of companies that have passed WebTrust Audits... (according to WebTrust press releases, Verisign, Entrust, Digital Signature Trust).

    Setting up a non-profit to issue certs sounds like a nice idea, but isn't a realistic option when one must spend lots of money to audit ones practices to assure the public. The commercial CAs are even having troubles making money...

    Determining that "I am who I claim to be" really is a difficult task.

  5. Thawte responds: by Domini · · Score: 5, Informative

    I e-mailed them and got this response from Jeanne Fourie:

    Dear Marius

    Thank you for emailing me with regard to your concern. Due to the current
    international threat of terrorism we have been advised by
    our parent company VeriSign to refrain from issuing developer certs to
    individuals, for the mean while.

    As you will be aware, there is a need right now for companies like ourselves to be
    extremely cautious in all aspects that concern
    security and encryption.

    Developer certs are issued to individuals based on verification of passports and
    drivers licenses. These documents are however easily
    forged and we have therefore had to take the executive decision of not issuing
    certs where the verification process may be
    questionable.

    We are positive that we will be able to resume this service in the near future. I
    do apologize for any inconvenience that this may have
    caused you.

    Regards

    Jeanne

    As can be seen it seems to be Verisign who requested this....

    Hmm...

  6. Re:What difference does this make in the long run? by gregor_b_dramkin · · Score: 5, Informative

    Thanks for opening up your skull and letting us peek at the cavern inside. I normally wouldn't reply to flamebait such as yours, but I'll make an exception in this case to try to stem the flow of ignorance that pours from your keyboard.

    1)
    Script kiddies do not break ciphers. They do not find exploits. They do not reverse engineer systems. If they could do any of these things, they would not fall under the derogatory category, "script kiddie".

    2)
    Pick any of the following algorithms and break it: IDEA, 3DES, RSA, DH. I guarantee you will be famous, at least within security/cryptography circles. These are algorithms that have been scrutinized for decades by professors and professionals. I don't think a 12 year old could break these, except in a movie.

    3)
    SDMI (I assume this is what you mean by SDMA), was a copyright protection system not an encryption system. Anyone who believes they can create a secure, stand-alone, software copyright protection scheme is either ignorant or a genius. Given the ratio of ignorance to genius in the world, I know how I'll bet.

    4)
    The reason so many crypto systems are broken usually falls into one of two categories
    a) The developers think they can design a system just as strong as the professionals who have devoted their lives to making and breaking ciphers.
    b) The designers were forced to use limited strength crippto due to stupid crypto laws.

    Incidentally, the DVD CSS system was broken by the combination of government-mandated 40 bit key length, and a home-made algorithm that reduced the effective keylength to around 30 bits. This makes it possible for an attack to be completed in seconds. FWIW, a 40 bit key search takes 1024 times longer than a 30 bit key search.

    --
    You can never equivocate too much.
  7. Make your own developer certs by KlomDark · · Score: 5, Informative
    It's amazingly easy. Get OpenSSL, install it...

    Make your homebrew CA private key:

    openssl genrsa -des3 -out ca.key 1024

    Create your CA self-signed public key:

    openssl req -new -x509 -days 365 -key ca.key -out ca.crt

    OK, you're set up as a homebrew Certificate Authority (CA) and ready to start signing your own home-brew certs:

    First, create a homebrew private key:

    openssl genrsa -des3 -out server.key 1024

    Create the unsigned public key (AKA certificate signing request) At one point in the process, it asks for "Your Name" - if this is for personal identification, then put in your name. However, if this is for a development web server, then put in the web site address "dev.www.wherever.com" when it asks for "Your Name"

    openssl req -new -key server.key -out server.csr

    Get the sign.sh script from the Apache mod_ssl distribution, use this to sign the certificate:

    ./sign.sh server.csr

    There you go, you now have the private (server.key) and public (server.crt) keys. Install them on your webserver.

    They will work, but your browser will whine about them being signed by an untrusted source. No problem there, give a copy of CA.crt (NOT CA.key!!) to any developers using your web server and have them install it on their machine, from then on, their browser will consider any certs signed by your homebrew CA key to be valid. To install the cert on IE browsers, a hint: you do not use your browser to do it, even though there is an "Install Cert" button on the window that pops up to let you know that the cert is signed by an unknown CA. Instead, you give them CA.crt, have them save it to their hard drive, then open up Windows Explorer, right click on CA.crt, and pick Install Cert from the menu, a Certificate Wizard will pop up, go with the defaults, then your machine will trust the homebrew certs.

    The root certificate game has always been just a money scam, especially for dev certs.

    1. Re:Make your own developer certs by Vapula · · Score: 4, Informative
      Distributing a CA cert under Netscape is very easy.

      You just have to use the little CGI that follows...

      #!/usr/bin/perl -Tw use strict; $|++; open(FP, "); close(FP); my $len = length($cert); print "Content-type: application/x-x509-ca-cert\r\n"; print "Content-length: $len\r\n"; print "\r\n"; print $cert;

      A link to that CGI with the mention "install the certificate into my Netscape" and you're done. (I don't know if it works with MSIE... I never use it !!!)

  8. Re:Certificate Authorities by sql*kitten · · Score: 3, Informative

    Why not just have a non-profit organization that issues certificates to anyone that wants one for a nominal fee?

    Well, you can generate your own certificate, it's straightforward enough. The issue is trust. When you (a shopper, say) go to a site secured by Verisign, you are in effect saying that you trust Verisign not to issue a certificate to anyone who isn't trustworthy. Of course, for most people, it's "I trust Netscape/Microsoft/Whoever, who trust Verisign, who trust this merchant". If you generate your own certificate, there is no "trusted third party" to confirm you are who you say you are. The reason certificates cost money is because for a certificate to be trustworthy, the issuer has to perform due-diligence checks (for example, company registration documents) to ensure that they are granting it to a legitimate organization.

    Logically, this could and perhaps should, be a function of Companies House (or the US equivalent), the body responsible for keeping track of company registrations, filing accounts and so forth. But any company with a strong enough brand (a hardware vendor, a major bank or law firm, a telco) could act as a trusted third party, so long as that TTP is itself trusted by the public. The only problem there is, how to get the browser vendors to distribute their certificates along with the browser.

  9. Re:Wait a second... by jrumney · · Score: 2, Informative
    Thawte is not the only provider of certificates out there.


    True. IE 5.5 contains a list of 100 root CAs. Of these, 3 have certificates that had expired before IE 5.5 was even released. 93 of the others do not have an Issuer Statement, so we just have to trust them blindly. Of the 4 root CAs that have an Issuer Statement, 3 give 404 errors. The remaining one takes you to a page where you can download a potentially virus carrying MS Word document in Italian.


  10. Re:Wait a second... by Conare · · Score: 2, Informative

    A CA's trust should be judged by the Certificate Policy, not the Issuer Statement. I have not researched the availability of the various CA's CPs but you can reference them under the CP attribute where you will find an Object Identifier(OID) that uniquely identifies that CA's certificate policy. Theoretically, you should be able to use that number to view the CP and decide whether or not to trust the CA.

    --
    Stop Continental Drift! Reunite Gondwanaland!
  11. Those are server certs, not devel. certs by phr1 · · Score: 3, Informative
    Developer certs are for signing code, not web sites. If you download (e.g.) a service pack from Microsoft and click "Properties" on the file, you'll see a tab that says "Digital Certificates". The cert that signs those things is a developer cert. The tools used for creating and signing the files are totally different from what's used for SSL certs. You could in principle generate the certs with OpenSSL, but the method you proposed won't work (you need special identifiers in the certs).

    What developer certs let you down is put ActiveX controls on your web pages that the user can download without going through a scary dialog saying "the browser can't tell who created this file". You do get a dialog saying "This file was created by so-and-so, click 'yes' if you trust them" but that dialog is designed to not be scary, and encourage the user to download whatever crap is about to take over his computer.

    There are also developer certs for signed objects in Netscape browsers, but not too many people care about those any more. :(

  12. Example: Trust code from "Microsoft Corporation"? by yerricde · · Score: 2, Informative

    I'm no crypto expert, but my guess is that they would want to minimize the risk of an individual acquiring a certificate in a bogus name, creating a virus or something and then signing the virus code with the cert - thus making it appear more valid

    In other words, you claim Thawte has restricted granting code signing certificates to avoid another debacle like this where Verisign granted a certificate to "Microsoft Corporation".

    --
    Will I retire or break 10K?