Slashdot Mirror
Free Certificate Authority Unveiled by Aussies
SonOfGates writes "Well, the Aussies have invaded Boston but at least they're not throwing tea into the harbor. AU-based nonprofit CAcert Inc has spent the last few days at USENIX '04 registering new users by the truckload. They bill themselves as a 'Community-Based CA.' Could this be the begining of a true 'open' certificate authority? See the O'Reilly story and press release."
There is precisely no reason why these "authorities" should be getting any money... The servage is cheap since it doesn't even involve talking to their servers, just checking acceptance via a signing key... ANYONE can do that..! NO infrastructure!
-Mind
when Microsoft released that update for IE that included lots of new CAs? Anyone think this one will be included in the next one? My guess is no, judging from Microsoft's general resistance to anything open.
;)
But, we might be surprised. Opinions anyone?
ps. Maybe they should patch the browser first
bash: rtfm: command not found
I'm sure Mozilla/Opera might, but what about Microsoft? If Internet Explorer doesn't support it's unfortunately not very useful.
The mythical "web of trust" we were supposed to have in Verisign/Thawte/etc... is finally comming true in a NON-PROFIT entity.
Too bad this cert isn't defaultly trusted by IE/FireFox.
Interesting side note: when I recieved the registration email from them, Outlook 2003 (yeah, I know...) marked it as "junk mail".
-Wes
Many ISP's and low-budget group have self-signed certs. They're easy to make. Hopefully this project will make it easier. I have quite often seen sites with a self-signed cert and another page giving the fingerprint of the cert. Most vendors allow these, but they aren't "trusted".
The only reason the big companies charge so much (their claim, not mine) is the insurance they provide, and the fact that they are "trusted" by the various vendors.
Any new group wanting to be a trusted CA will face the liability issue -- if one of your customers sues you, even if you try to disclaim all liability up front, you will still face massive court fees. Even if you won in court, you would lose financially if not insured.
There is no technical or logistical problem with setting up a Free (and free) common-geek's CA, the problems are entirely legal ones. I know because I looked into it right after SSL came out. It looks like a good business plan, right up until someone takes you to court.
Thank you for your support.
There is no reason to pay for certificates - initially the issue was about trust. The infrstructure to set up a cert authority is not complicated, as mentioned...you just need people to trust the certificates that you issue. God (and slashdotters) know the kind of crap that VeriSign has pulled before. It's good to see alternatives.
While I normally think the government should keep its nose out of most places, I think this is one place where the goverment could actually do some good. Just like many states and goverments proved offically accepted picture IDs to individuals, I think they could easily set up a service to provide offical digital IDs to all the citizens. Companies like Verisign may still have a role in providing corporate certs, etc, but I think the goverment is the best way to provide a universally recoginized digital ID to everyone.
The whole notion that a Cert authority is needed is essentially bogus in my opinion. We've been rolling our own certs for years for all but the main e-commerce web servers. Who wants to pay the outrageous extortion fees Verisign/Thawte charge and jump through the goofy hoops? I bite my lip and do this every two years for the main web server just so my clients don't totally (unnecessarily) freak out at the prospect of a dialogue box popping up in SSL mode warning them that Microsoft's "paranoia-protection-money" wasn't paid-off.
The Cert authorities are a joke. We registered one CA with Verisign with virtually no documentation, and another time, when renewing an existing, different cert, they demanded everything short of a blood test for "authentication." It's nothing short of criminal considering they charge $200+ for something that takes 10ms to generate that they make people wait weeks for, and in no way guarantees superior security, and they'll make certs for anyone with money so the identity checking is BS and moot.
I'm all for a free certifying agency, but you can also roll-your-own with OpenSSL.
Note: If you plan to use these certificates with Internet Explorer, Outlook, or Outlook Express then generate the certificate from within Internet Explorer. They can't be sucessfully imported into Internet Explorer. Believe us, we've tried...
-Wes
Stumbling blocks would be that Verisign would still be the expensive 'gold standard' for quite a while because its always been compatible from the earlydays in the most number of browsers, and another would be getting enough funding to pay for the identity check and other redtape that it takes to really be a 'trusted' cert authority.
I wonder what the cheaper CA's like thawte and geotrust think...
--
Power to the Peaceful
Somehow I don't feel all that secure when the site went down in 3 minutes...
"I say we take off, nuke the site from orbit. It's the only way to be sure."
I think the key to disrupting IE is by creating things it doesn't or won't support. It can't be done quickly, I don't think, but slowly, as the browsers merge in their usefull and techs that disdain MS help ignorant users to install and use them, MS can be made an equal player. Instead of a dominate force that will eventually control the US Media by holding the power of the infrastructure.
We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
This is one of those things we all say to ourselves "they should do this," yet it never happens. I'm really glad to see this. I can't wait until I can start recommending clients to them and supporting them with large (yet still much cheaper than Verisign/Thawte!) donations. :)
Does anyone else find it somewhat offputting that they include links to both validate their XHTML and validate their CSS on the bottom of their homepage, yet both return a number of errors stating that their page is neither valid XHTML nor uses valid CSS?
Even more oddly, for a brief instant when I went to their homepage, I got a default Apache index listing, rather than their homepage. It included links to things such as their PHP MyAdmin directory, a number of PHP files, and three zipfiles named Bruce-someversionnumbers.zip.
Well it appears that they've just left a single static page up and taken down their php, giving a 404
I don't see what everyone is crying about certs costing money for. Seeing as how i've setup online shops for several people using certs, I think for what they do, the cost is justified.
Not just anyone can get a CA cert. You have to be a business, I know verisign wants a copy of your business license, ect before they even issue you a cert.
Now we got this "open CA". Who is going to check if these are legitimate businesses? Will there be any checks done at all, or will it just be "by the truckload" as the headline said?
I'm all for saving a buck as much as the next guy, but when I shop online, knowing that the cert came from a trusted source that actually checks if it's issuing a cert to a legitimate business like verisign or thawte puts my mind, as well as the minds of a lot of others.
As an individual with a certificate and a private key provided to me by CACert, what exactly can I do with it? I can sign email, but anything else? I know I can be authenticated with it, but is anyone actually using this?
Also, the certificate extensions might limit what the certificate could be used for... article really didn't say if these had any limits on them.
Has anyone found a good, portable way to store a private key? This seems like the biggest barrier to using certificates. I either use it on my own machine exclusively, or I had to have a secure way to move it around with me.
So, you install the master cert from their website and visit an anonymous website, when the anonymous website pops up a cert. Will it display on my screen to install or will it be automatically installed because I have installed and trusted the master/root cert.
That's not interesting, form letters like that are very much like a lot of common spam.
...
So you can get a free cert. I can generate my own damned certs already. However, if I have a cert that I've paid for, then usually people will trust that, because the cert authority has taken steps to verify that I am who I say I am.
It's that last thing that makes certs valuable, not the cert itself. A free cert is free because not many people are going to trust it, and with good cause.
Like others have mentioned, this is probably useless. Microsoft more than likely won't put it in IE. So you'd be better off just using a self-issued cert. Even if every non-IE browser adds it, that still isn't enough for most anyone that needs to have secure webpages.
I use and love Firefox personally, but if a cert doesn't work without popping up "untrusted alerts", free or not, it is quite useless to me.
Useless: the root certificate is not currently in IE
I think the government should sponsor a CA. Sure, their databases are screwy every so often and are the very model of bureaucracy. They are also one of the most "trusted" authorities to most of the neophite users a warning would scare. Besides, they couple probably keep up with Verisign's often weeks long turn around on certificates pretty well. There's some economy and small business stimulation! Unfortunately, maybe some fraud too, but it may also lead to hucksters getting stiffer punishments and/or penalties.
US Democracy:The best person for the job (among These pre-selected choices...)
I neglected to add that when your taxes are lower than those in other states, you're stealing money from us. Our tax money has to go to pave your roads, pay for your schools, and keep your emergency services from completely collapsing.
This signature does not exist. It has never existed. It is all a figment of your imagination.
Here's a summary of a proposal I wrote for canadian provinces...
The Governor General's office acts as the root CA for Government Ministries & Crown Corporations and Professional Associations.
Any professional association (Bar Association, College of Physicians & Surgeons, Engineers, etc) acts as a CA for it's members and corporations working in their field (Law firms (lawyers, paralegals, legal secretaries), Medical Clinics (Doctors, Nurses, X-Ray Techs, Appointment Clerks), etc)
Certified Accountants act as a CA for Corporations, Societies, Partnerships, etc.
The Notaries public act as a CA for individuals.
This is great: slashdot advertisement
How? Really... I need to know (for IE) & can't figure it out, short of having the sers install a binary of OpenSSL.
do you know what prompted the banning of swords? cause it was pretty shocking. there was a legitimate issue with swords there for a while and i didn't hear anyone complaining about the ban except people who shouldn't be owning swords.
Denmark has free digital signatures for all citizen, for use in email, to sign in on sites, etc...
URLs:
- http://www.digitalsignatur.dk/
- http://privat.tdc.dk/digital/
(both in Danish, though...)
The technicalities are run by the largest phone company/ISP, TDC, but otherwise it's fully a government thing.
Lucky for you America hasn't banned stupidity and ignorance.
How do you expect immortals to battle the death if their swords are banned? There can be only one.
Just a question, how much this is different than www.wildid.com
That's why you check the fingerprint on the certificate. A third party can spoof DNS and run a site that looks identical to your own, but unless they have an underground bunker full of Crays somewhere, their site cert's not gonna have the same fingerprint :-)
iSKUNK!
It's what America would be without the bill of rights, I think.
No, more like what America would be like without Guantanamo Bay, actually.
Have any countries? And if so, how is that working out for them?
Denmark has this already, as I posted earlier: http://slashdot.org/comments.pl?sid=113196&cid=958 9656
My question is, since (currently) IE is the dominant browser, the value of this service is going to depend upon whether or not this new CA can be designated as "trusted" by Microsoft.
We know this ultimately comes down to how much Microsoft would charge for this certification. Does anyone have any idea what the costs are? I imagine it would be some sort of subscription arrangement where you have to pay in perpetuity to Microsoft in order to not have your trusted status revoked. But how much? And would Microsoft let an open CA even exist in the first place?
This coming from an Australian company? Hardly suprising: us Aussies are always happy to get something for nothing. Getting away with it is always a boasting point and something akin to a national sport/pastime.
Yeah, but aside from the snakes, spiders, sharks, box jellyfish, blue ringed octopus, crocodiles (they're only up north so you don't need to worry about them too much - but snakes and spiders are everywhere), etc. Aside from all those things, or in spite of all those things, Australia is the best place on earth. Don't believe me? Check the guide:
http://www.bbc.co.uk/dna/h2g2/A53650
And don't panic!
For example, see the TrueSite Relying Party Agreement. "The Service is provided on an as-is basis without warranties of any kind".
Even Verisign's Relying Party Agreement, while it does offer some warranties, has a complicated scheme for weaseling out of Verisign's obligation to verify the certificate holder's identity. The relying party agreement refers you to the CPS Section 11, says "Issuing authorities (and VeriSign, to the extent specified in the referenced CPS sections) warrant and promise to ... perform the application validation procedures for the indicated class of certificate as set forth in CPS Section 5, Validation of Certificate Applications." There, Verisign says "The IA shall confirm that ... the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI)." The linked definition of "nonverified subscriber information" is "Information supplied to a certification authority as part of a certificate application". So Verisign doesn't actually stand behind any of the information in their certificates.
This is much weaker than a signature guarantee by a commercial bank, where the bank guarantees to other parties that the person was properly identified. But it costs more.
I'd like to see banks belonging to Visa International and MasterCard issue digital certificates, and require that their certificates had to be on a page that accepted their credit cards. Certificates from banks would actually be worth something.
Speaking of email. Anyone know how to reset the master password in Thunderbird, current milestone (on win2k)? I dont remember ever setting it, but there's a value there and this wont let me import my cert.
How did you wipe IE off your windows box? The best I came to it was place a dummy iexplore.exe (as it gets replaced if you remove it) however, typing a http address into an explorer window still brings changes it into an instance of IE.
I guess there must be some reg hacks to remove it completely...
What version did you remove it from?
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
(or anybody else) throw tea into cold salt water and call it a party?
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
I don't see the big difference between a self-signed cert and a CAcert. It's going to be virtually impossible for web sites to get their users to install their root certificate. Users are stupid. Generally, I don't expect they can click a link, much less add a cert.
I've been looking into using SSL on http://freeinternetpress.com . We're not a registerd company, nor do we turn a profit, so it would be an extra cost and hassle to get a real certificate. For us, the only reason to do it is to make some of our users happy by letting them browse by https.
A self-signed cert isn't any sort of magic, the instructions are in the OpenSSL documentation. I made it a step easier for people we worth with, I have a web page that they submit their information to, and it generates everything including the self-signed cert. There's no real magic to it, anyone (err, anyone with a clue) should be able to write the same thing in about 10 minutes. I spent an extra 10 minutes making it pretty.
People I deal with never use the self-signed cert. They just take the CSR and get the cert signed by a regular signing authority. What's the big difference if I sign it, or if I call myself "Joe's cert company" and start automatically signing certs? It's not much different than what CAcert is doing, other than the fact that they have a donation button on their page. At least with the people I make CSR's and self-signed certs for, I know who they are, and that I'm not accidently signing a fake microsoft.com cert.
Serious? Seriousness is well above my pay grade.
I heard one country tried it, but they had to deport all the stupid people. The only person left didn't have anyone to procreate with, so the country died a natural death a while later.
I have written to my professional association suggesting they look into becoming a trusted body for CACERT, and I suggest that anyone else who thinks CACERT is a good idea should do the same. If bodies like universities, professional engineering and software associations, law societies, accountancy organisations and medical societies can be interested, this could (a) rapidly expand CACERT and (b) create a roll which would "encourage" Microsoft to add it to their default list. Of course, this means explaining to the various bodies the benefits of encrypted email.
I use self-signed site certificates where my interest is in a secure channel to a previously authorised user, but it would be convenient not to have to ask users to import certificates.
So please, remember this site is partly about FOSS activity, stop being negative, drop the stupid Australian jokes (no, I am not Australian) and encourage these guys in practical ways.
Panurge has posted for the last time. Thanks for the positive moderations.
I need someone in the seattle area to assure me. Spare me the jokes... If you are in the seattle area, sign up, and lets get this going. I may do the 3rd party assurance soon.
But we have to be careful that we don't let our "wish to believe" blind us to the need for some caution here. Take at look at CACert's site. You'll find carelessness, spelling mistakes, pieces that have not been thought out. Running a CA properly requires meticulous attention to detail, and their site shows the opposite. On the very first page when you sign up, it asks for your name, date of birth, and "country". Is that country of citizenship, or country of residence?
Then there's the reliance on "government ID". If somebody presents Nigerian ID, or Dominican Republic ID, what exactly is that worth? It's not worth anything, you can bribe officials in those countries (and many others) to issue whatever official document you want. Does that mean that citizens of Nigeria can never be trusted? That's well over 100 million people in just that one country, most of whom are honest and trustworthy. It's ridiculous to exclude so many people from receiving certificates just because their bureaucrats are corrupt, and it's completely contrary to the transnational spirit of the Internet.
In conclusion, the idea behind CACert is a good one, but the people running it don't seem to be doing a good job. I hope that somebody else takes up the idea and does it better. There is no reason why there should not be more than one volunteer-based CA.
Which US college kids are you talking about? Got a link?
not Certificate Authority
;)
just so you know
...those that produce a warning in browsers, and those that don't. Most everything else, is all the same to 99,99% of the people.
Kjella
Live today, because you never know what tomorrow brings
Quote from the article:
He goes on to describe the process of getting the root cert, hopefully, included into the Mozilla project through a Bugzilla feature enhancement request. From what I read from the article, the discussion about this is still going on.
A lot of the posters here think only about the technicalities. Running a trustworthy CA isn't evident. A good CA will do a careful check to see if you are indeed who you say you are before certifying you. Certification is the achilles heel of PKI and it's the procedures, not the technology that make the difference between a trustworthy and a useless PKI. Self signed certificates are useless.
There are other elements, such as how well does the CA protect its private key. Do they take responsibility (many CAs quickly dismiss all responsibility in the small print).
For a good document, google for "the 10 risks of PKI".
Security is hard to do right. The software is the easiest part.
Tom
no money to spend on education? anyone who qualifies can go to university, and get a 3-4 year undergraduate degree for about USD$1200 per year, repayable when income reaches a pretty comfortable level, interest free (cpi adjusted).
never heard about the sword thing except on slashdot, so dunno where that came from. guns are very tightly regulated though. thankfully.
Bundle the credential chain for your private cert (i.e. root cert and optional 'intermediate roots') into a PKCS7 file. Distribute file on a Verisign/Thawte authenticated page. Single-click will install the root cert in most browsers.
Your primary root cert can keep a long (decades) lifetime while your server certs can have a short (months) lifetime. Safest is to use intermediate roots (years lifetime) which can be revoked at will (in case of private key compromise) via live CRL on the primary root.
Sample code for Multi-level CA.
X.509 binds names to keys; it's the name that matters in an X.509 system. But because there aren't enough bits in the human-language name to uniquely identify every entity of interest in the network, X.509 is based on X.500 naming, which mates the human-language name (common name, or CN) with that name's position in the global directory. Together they form the distinguished name, or DN.
X.500 naming, however, presumes a single, global namespace. The X.500 directory was intended to be a single directory for the entire planet providing unique, inescapable names for everyone.
Yeah, right. Like that's going to happen.
As a result, X.509 is carved into literally hundreds of local namespaces. But since we're stuck with the *name* as the principal, we have to use that X.509 name *globally*. There are multiple ugly kludges to get around the name problems as a result.
This makes X.509 complex, fragile, and difficult to deploy correctly.
But everyone (potentially) has a globally unique identifier-- the public part of an RSA key. Randomly generated, 2^42 512-bit RSA keys have a probability of colliding on the order of 2^(-429); even the SHA-1 hashes have a collision chance of 2^(-77). Keep in mind that we use 1024-bits as the default nowadays.
So if you use the public key as a name, it solves a whole raft of problems.
This is what SPKI/SDSI does. SPKI is key-centric; names are a local convenience; keys are bound to names instead of the other way around, and all names are local to that key. Every participant has a key pair. The public part is the identifier for the keyholder, and the keyholder authenticates himself simply by proving that he has the private part.
Keep in mind that the whole issue of binding keys to actual people can't be addressed by a PKI, it has to be addressed by strong key storage and access controls and is the same across for X.509 and PGP/GPG as it is for SPKI.
This is similar to the web of trust, but I don't need introducers (well-connected keys) to make it work right.
SPKI goes on to recognize that since authentication is simple, what we really need from SPKI is authorization. The whole of SPKI is intended to define a flexible method of allowing authorization *and authorization delegation* in a simple, distributed fashion. SPKI defines an authorization *language* so that authorizations can be chained *without the SPKI library knowing what the tokens actually mean*. This means that a single library can handle the permission sets of all applications. In addition, the language rules prevent all entities in the chain of delegations from being able to exceed the permissions he was granted.
Achieving the same under X.509 (using attribute certificates, for example) is next to impossible. ACs don't delegate (well, the standard itself says technically you can but you *shouldn't*); aren't truly distributed (i.e., the AC acts as a single choke point in granting permissions, which SPKI avoids), and doesn't model the way trust naturally flows in an organization of people (whereas SPKI allows you to source and pass around trusts in more natural ways).
Very cool stuff. SPKI shows up in all kinds of places. Carl Ellison's homepage provides the best jumping-off point if you want to learn more:
http://world.std.com/~cme/html/spki.html
-- Cerebus
Are the CAcert folks still handing tese out at usenix in Boston? when/where?
If somebody presents Nigerian ID, or Dominican Republic ID, what exactly is that worth? It's not worth anything, you can bribe officials in those countries (and many others) to issue whatever official document you want. Does that mean that citizens of Nigeria can never be trusted? That's well over 100 million people in just that one country, most of whom are honest and trustworthy. It's ridiculous to exclude so many people from receiving certificates just because their bureaucrats are corrupt, and it's completely contrary to the transnational spirit of the Internet.
Well, what do you propose, then? The problem doesn't solve itself just because you want it to.
Do those 100 million people have no responsibility for their bureaucrats being corrupt? If they aren't going to do anything about it, how can anybody else?
To get joe user to install the CA certificate, just put a link on your page with something like.
"To stop the anoying messages you must install the following certifiacte.
I agree."
Joe User will happly click on 'I Agree' and your away.
(p.s. don't forget to put a trogan in the link too, Joe User will install that without any quarms)
thank God the internet isn't a human right.
Rock-on, dewd! You've been at this for a while now, that and NodeDB -- Good to see you slashdotted!
Zhrodague.net - I do projects and stuff too.
Did anyone notice that the logo looks like a very serious thumb wrestling match?
However, many public CAs are now including CRL Distribution Point extensions in their certificates, and these contain a URI for the CRL on which the certificate in question will appear, if revoked.
It's not clear which versions of IE have CRL checking on by default for SSL certificates - certainly for Code Signing and Macro Signing certificates the default is to download and check the CRL.
Mozilla doesn't use the CRL Distribution Point extension at this stage, but manually downloading a CRL with Mozilla (incl Firebird) triggers an automatic redownload of the CRL every time it expires.
This audit would be performed by one of the big auditing companies, and is not free.
Hence, anybody providing certs trusted by Microsoft, must charge for them - if anything, to pay for the audit...
Um...Kerry was never the Governor. He is the Senator from the state and was a district attorney before that.
I'e often wondered why mozilla.org doesn't start their own CA. Sell certs for a reasonable price like $50, and people would probably happily pay that price to know that they are also support browser development. Plus, mozilla.org can be sure that their CA will be included in at least one browser... :-)
I spent some time talking to these guys at USENIX. I think they have a good idea and the drive to see it through. Each of the people I spoke with were technically knowledgable, enthusiastic, and yet quite serious about giving the validation process the weight it deserves. Sure they have some rough edges as many non-profits do when they are getting off the ground, but this seems like an effort worth supporting.
Certs should be available for a hell of a lot less than what Verisign charges. There's an artificial barrier to entry in this market and I welcome commmunity-oriented attempts to lower it. I hope their root cert gets into Mozilla ASAP! I fully support their efforts.
BTW- It was rather amusing watching people come over and ask for the "free" certificates expecting to be handed some physical piece of schwag, heh heh.
never heard about the sword thing except on slashdot, so dunno where that came from. guns are very tightly regulated though. thankfully.
Victoria banned swords.
I'm guessing that wasn't on their radar screen...
http://ca.freeicp.org -- for the Web CA
http://www.freeicp.org -- for the (rather old) main project wiki
See also the paper they published at NIST's 2nd PKI Research Workshop.
This will be great for small time companies and individuals.
- Webmaster of Infoweb
Any soul here knows how to import the cacert.crt from the users logon script ?
That would at least solve the issue from within an organization.
Alvaro
Hopefully, no one will see this post anyway, but just in case, Kerry was never governor. http://www.masshome.com/governors.html
They'll think I've lost control again and leave it all to evolution. -- Supreme Being, Time Bandits
Kerry was never "govana" of the state of the MA.
And what facts do you have to support that MA taxes are some of the lowest in the entire country?
Well, their page doesn't even validate as strict XHTML even though they claim it does... sigh.
Anyhow, do we really need a root authority? Couldn't this be P2P? If I and 3 other people you know sign your certificate saying you are Jane/John/Buba, we should be able to establish a trust metric... and/or trust friends of friends.
Of course, I really don't understand this topic enough, so this could be completely off base... I'm just peeved at the high cost of certificates for my clients' e-commerce websites, and wonder why I have to get some bureaucracy to actually deem them trustworthy when trust in most communities is built by social networks.
Is this possible (or even desirable)?
Information: "I want to be anthropomorphized"
Certificate authorities solve^H^H^H^H^Haddress the central problem of public key authentication -- how can you know that the public key really belongs to the entity you think it does?
Anybody can create a self-signed cert with your name and your URL and then impersonate you over SSL.
Understood, you're also critical of the level of care the CA's put into identity checking, but your first point was "The whole notion that a Cert authority is needed is essentially bogus in my opinion". The known alternatives are to have every customer separately verify your certificate's thumbprints out-of-band (not worth thinking about) or to build decentralized verification like PGP's Web of Trust. The WoT doesn't answer the questions businesses ask (e.g. "who's liable for how much?", "can my auditors look at the written signing policy?" etc.), though it works great for groups of human rights activists.
The logical answer in my opinion would be if you got a cert along with your merchant Visa account, signed by your bank using their chained cert from Visa, with the Visa master cert trusted by browsers. That would let the companies who face the financial risk of indentity fraud manage the technical risk.
The real problem is that we're depending on a subtle and sophisticated technology (PKI) that no normal people and only a few geeks understand the operation and limits of.
The point of a Certificate Authority is not to simply prevent the user's browser from bringing up a warning. The CA is supposed to vouch for the presenter of the CA-issued certificate -- in some way, at least...
In Soviet Washington the swamp drains you.
That's a really big help.
You have to understand that Australians are not as immediately serious as Americans. We understand the principles of gun and weapon ownership but weighed it up against 1 crazy person being able to slaughter dozens of people at a time and decided againt it.
When we see someone who is poor we figure they had bad luck and give them food and shelter, not let them die on the street because they are lazy or deserve it. When we want political change we use ballots, not guns (compare federation vs American revolution, American civil war)
During my last visit to the states a girl-boy fight went on in another room at my motel. It was obviously loud enough and late enough at night for someone to freak and call the cops.
Now,Contrast what happened to what Australian cops would do. First they give a verbal warning to surrender. Then if force needs to be used they are to use batons or mace, and only in a situation where they feel in personal danger (crim has a weapon/rushes towards them) are they ever to pull out their gun. The US cops arrived, kicked in the door and went in with guns in hand. Then they dragged the half naked guy (he was hispanic) and pushed him down stairs and shoved him into a truck and drove away. How do they know he wouldn't have just come with them? Couldn't they have just asked him to keep it down? WTF? I have broken the law numerous times doing silly things (riding a motorbike down a back country road as a kid / smoking weed in public) and the cops have just come up to me and reasonably asked me not to be so blatant about it and they would get serious next time. Compare that to being thrown in jail for 1st time possession in the states. The laws may be stricter in some cases, but most cops aren't bastards about it (though I don't live in Victoria) which country is more free?
Rouge is a French adjective for red. Rogue is an English adjective for "something which behaves in an unexpected and often destructive way".
From their website:
How does the Assurance Programme work?
There are two main steps. Firstly, when you join the ECCP, you will be asked for some identifying details, including the number of a nationally recognised piece of ID, such as a passport. We will protect your details according to our Privacy Statement.
CAcert has no direct way to check that (for example) passport number ABC123456 really belongs to you. So in the second step, you meet up with some members of the Assurance Programme, who have already convinced CAcert of their identity. These 'Assurers' check your identifying details, and confirm to CAcert that you are who you say you are. You will need at least two Assurers to confirm your details in this way - this strengthens the integrity of the Assurance Programme's 'web of trust'.
I do not want to give them a Nat'l ID number. In fact, there should be no reason to do so. There is already an infrastructure in place for validating my ID and paper signature. They folks who do this are called Notary Publics. And they have their own web of trust similar to a Certificate Authority's.
Two years ago, my wife and I adopted a little girl from India. Lots and lots of paperwork involved. Most of which had to be signed and verified by a notary. The notary looks at your ID and then adds their stamp on top of the signature. The notary does not keep any of your ID numbers on file.
Some of that paperwork had to go through a second level of verification. We had to take the signed and stamped papers to our local courthouse where the County Clerk then verified that the notary was legit. This was then taken to the State of Ohio where they verified the County's verification. Its been awhile, but we might, IIRC, have had to get another level of certification from the US State Dept since we were sending the documents overseas.
So why not just use the infrastructure already available for verifying the identity of a requestor for a certificate made to a cert authority? No need for a CA to keep my Nat'l ID on file.
FreeSpeech.org
First "the Great Goddess Ayn Rand says your a dirty stinkin' COMMIE" post!
Seriously, the Post Office is one obvious choice for real identification - they can't tell any better than anyone else *who* you are, but they can probably validate *where* you are cheaper than anybody else.
Hello folks.
I was thinking about implementing the SPKI system, at least the verifier, in PHP for webmasters and people convinence.
If any of you are intrested please reply to this post/comment.
If you are intrested in computer security chek out erights.org and Introduction To Capability Based Security
-Zarutian
ps. I hope this isnt modded down.
---
sha1 hash of message (excluding the line whith ---): f944e109ee67a9622d60d7e2611a85d021c8fbb8
Oh, is that where the Billy Gate-tocus of Borg icon comes from that is so prevalent of the Microsoft collective here on Slashdot?
"Resistance is Futile?"
I know I did, and boy am I glad.
http://www.openca.org
Never mind the naysayers of having your own CA, I benefited greatly, and so should you.
Australia Post has a service named KeyPost where they act as the RA (Registration Authority) and provide authenticity information to CA's. I'd trust certificates issued through this scheme a whole lot more than by a friend of a friend of someone I'll never meet. Why not outsource the RA work to Australia Post? The Australian Government program that supports this is Gatekeeper.