Slashdot Mirror
Free Certificate Authority Unveiled by Aussies
SonOfGates writes "Well, the Aussies have invaded Boston but at least they're not throwing tea into the harbor. AU-based nonprofit CAcert Inc has spent the last few days at USENIX '04 registering new users by the truckload. They bill themselves as a 'Community-Based CA.' Could this be the begining of a true 'open' certificate authority? See the O'Reilly story and press release."
Many ISP's and low-budget group have self-signed certs. They're easy to make. Hopefully this project will make it easier. I have quite often seen sites with a self-signed cert and another page giving the fingerprint of the cert. Most vendors allow these, but they aren't "trusted".
The only reason the big companies charge so much (their claim, not mine) is the insurance they provide, and the fact that they are "trusted" by the various vendors.
Any new group wanting to be a trusted CA will face the liability issue -- if one of your customers sues you, even if you try to disclaim all liability up front, you will still face massive court fees. Even if you won in court, you would lose financially if not insured.
There is no technical or logistical problem with setting up a Free (and free) common-geek's CA, the problems are entirely legal ones. I know because I looked into it right after SSL came out. It looks like a good business plan, right up until someone takes you to court.
Thank you for your support.
There is no reason to pay for certificates - initially the issue was about trust. The infrstructure to set up a cert authority is not complicated, as mentioned...you just need people to trust the certificates that you issue. God (and slashdotters) know the kind of crap that VeriSign has pulled before. It's good to see alternatives.
Yea, I remember it... But, if you use anything mozilla like you can import the CA cert of any certificate authority you'd like. I am not sure how you do this with IE (since I wiped that right the hell off my boxes, my windows boxes don't even use it).
Not as big an impact as you think..
-Mind
Note: If you plan to use these certificates with Internet Explorer, Outlook, or Outlook Express then generate the certificate from within Internet Explorer. They can't be sucessfully imported into Internet Explorer. Believe us, we've tried...
-Wes
Yea, you can do it in IE too. The problem is that end-users do not know how to, and the whole concept is completely foreign to them.
Sad as it may be, IE is still used by something like 85% of the world.
bash: rtfm: command not found
My guess is no, judging from Microsoft's general resistance to anything open.
that depends on what your/their meaning of 'open' is. I couldn't find any information on this project being open-source, on their site or the articles. And if its not, i'd strongly suggest it should be given the open source community's need and want for something like this and the ability to make it better. hopefully i just overlooked something and it is open source and not just free as in beer.
It's not down. They made a small change to protect themselves most likely. You'll have to manually alter links, but you can browse the site fine.
Stumbling blocks would be that Verisign would still be the expensive 'gold standard' for quite a while because its always been compatible from the earlydays in the most number of browsers,
Let's qualify this for people who may not understand.
This new certifying authority will be just as compatible as any other cert. It will still offer as much encryption protection as any cert provided by any authority.
The difference is that the browser may not be "pre programmed" to recognize the authority, and will therefore pop up a "warning dialogue box" that says something like "Certificate is signed by an unknown authority". In reality the encryption and transaction is just as strong. It's just that the browser company hasn't been paid a fee to keep the dialogue box from popping up and scaring users into thinking that their transactions are not encrypted.
So basically, those of us who have used CAs from Verisign are paying a fee to keep a dialogue box from popping up scaring our users, making them think their transaction isn't secure, when it is.
There is this notion that companies like Verisign/Thawte are charging their outrageous fees for an intangible piece of digital information because they "verify" that the name on the certificate matches name of the web site you're dealing with. Most users wouldn't be conducting e-commerce or secure transactions with a web site unless they were fairly confident who they were dealing with in the first place, so the notion that a cert offers additional security is pretty superfluous.
Verisign acquired Thawte in late 1999. Though they acknowledge the fact on their corporate website, they don't exactly make it obvious they no longer compete with Verisign.
You're right. The mozilla team has an issue in bugzilla about cacert. They've decided to support this ca for the next release.
I know it's not non-profit, but Thawte does provide personal certificates for free. You can use them for email encryption and signing without any difficulty. As for server certificates (https, etc), I think you'd have to pay for, but for personal email usage, Thawte is a pretty good option.
Here's a summary of a proposal I wrote for canadian provinces...
The Governor General's office acts as the root CA for Government Ministries & Crown Corporations and Professional Associations.
Any professional association (Bar Association, College of Physicians & Surgeons, Engineers, etc) acts as a CA for it's members and corporations working in their field (Law firms (lawyers, paralegals, legal secretaries), Medical Clinics (Doctors, Nurses, X-Ray Techs, Appointment Clerks), etc)
Certified Accountants act as a CA for Corporations, Societies, Partnerships, etc.
The Notaries public act as a CA for individuals.
I use a Thawte p.cert to sign my email - there's a good writeup on configuring it to work with OSX's Mail.app here -- also a good example on how to provide visually appealing technical documentation that I can talk non-technically inclined people into reading.
-- YLFIOne god, one market, one truth, one consumer.
Denmark has free digital signatures for all citizen, for use in email, to sign in on sites, etc...
URLs:
- http://www.digitalsignatur.dk/
- http://privat.tdc.dk/digital/
(both in Danish, though...)
The technicalities are run by the largest phone company/ISP, TDC, but otherwise it's fully a government thing.
There is no installation for the other certs... Once the master is trusted, then as long as there is a chain of trust down to the "anonymous website". The website provides the certificate to the browser, the browser checks the issuer, and as long as the issuer is trusted, the browser accepts the certificate. No display to screen, no installation, nothing...
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
Did I miss something?
;)
InstantSSL 1 yr $49
FreeSSL 1 yr $99
They claim 96% compatibility, InstantSSL claims 99.3% (love those numbers, WTF)
They do mention the "hassles" of chained certs. I know it was a huge pain to drop one more file on my box, but I don't see it being worth $50
If I did miss something, I apologize. Let me know I'll be checking them out again in the morning.
SSL certificates assure two things:
1) You communications are encrypted and can't be interecepted in transit. These days this is a trivial thing and can easily be provided with a self-signed cert.
2) The identity of the site owner has been verified. The trusted certificate authority has taken some measures to assure that the site has been authorized by the entity named in the certificate. This is not trivial.
Without #2, it's not too hard to set up a fake site and hijack someone's traffic. You can then collect usernames and passwords, or distribute false information. Imagine if someone uses a BIND exploit to take over your ISP's DNS servers and reroutes yourbank.com to a fake site. When you pay for a certificate from a trusted CA, you're paying for #2. If you don't care about #2 for your purposes, then you can act as your own certificate authority.
Services for Unix is widely known to use BSD licensed code and utilities from the OpenBSD project. The TCP/IP stack in early NT products was BSD code, and its possible some of the utilities, the ftp client for example, is still BSD code.
Microsoft doesn't like the GPL, but the GPL is not the be all and the end all of Free Software. Microsoft has no problems with other open licenses.
"I use a Mac because I'm just better than you are."
Verisign/Thawte/etc weren't about a web-of-trust. The X.500 design is all about hierarchy and military-style trust trees. You're probably thinking of PGP, whose web-of-trust idea was kind of unusual at the time. Thawte's managed to build a slightly weblike system on top of the X.500 design, but it's still awfully centralized and hierarchical.
Yeah, but aside from the snakes, spiders, sharks, box jellyfish, blue ringed octopus, crocodiles (they're only up north so you don't need to worry about them too much - but snakes and spiders are everywhere), etc. Aside from all those things, or in spite of all those things, Australia is the best place on earth. Don't believe me? Check the guide:
http://www.bbc.co.uk/dna/h2g2/A53650
And don't panic!
For example, see the TrueSite Relying Party Agreement. "The Service is provided on an as-is basis without warranties of any kind".
Even Verisign's Relying Party Agreement, while it does offer some warranties, has a complicated scheme for weaseling out of Verisign's obligation to verify the certificate holder's identity. The relying party agreement refers you to the CPS Section 11, says "Issuing authorities (and VeriSign, to the extent specified in the referenced CPS sections) warrant and promise to ... perform the application validation procedures for the indicated class of certificate as set forth in CPS Section 5, Validation of Certificate Applications." There, Verisign says "The IA shall confirm that ... the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI)." The linked definition of "nonverified subscriber information" is "Information supplied to a certification authority as part of a certificate application". So Verisign doesn't actually stand behind any of the information in their certificates.
This is much weaker than a signature guarantee by a commercial bank, where the bank guarantees to other parties that the person was properly identified. But it costs more.
I'd like to see banks belonging to Visa International and MasterCard issue digital certificates, and require that their certificates had to be on a page that accepted their credit cards. Certificates from banks would actually be worth something.
Oddly enough... Services For Unix includes GNU tools. That's right - GPL code.
X.509 revocations do exist, but since there really is no universal Public Key Infrastructure (for the non-security guru), or rather the browsers don't even TRY or HAVE A WAY to validate them in most cases they really don't mean much at all...
Both IE and moz can use OCSP (Online Certificate Status Protocol) - if the cert containes OCSP information (basically a URL where you can check whether the cert is revoked) the browser can check against that. Fully up-to-date windows systems actually do this by default, it's in the crypto libraries. Which caused some problems for Norton Antivirus earlier this year when their cert expired, their OCSP server wouldn't hand out an updated cert, and their liveupdate application silently(!) failed.
Why they were even using a public CA's cert, when there's no way for the end user to look at is, is another matter..
SCO employee? Check out the bounty
Quote from the article:
He goes on to describe the process of getting the root cert, hopefully, included into the Mozilla project through a Bugzilla feature enhancement request. From what I read from the article, the discussion about this is still going on.
This often happens if you've set scripting of ActiveX components in the Internet zone to 'prompt' (which is a good idea) and not set your webmail host to be a trusted site (which is also a good idea, imho - who knows how good they are at stripping out weird HTML?).
It seems wildid issues only S/MIME e-mail certificates. This company also offers SSL (https) secure server certificates, which is much more useful. They also seem to be significantly better at what they do. I wouldn't trust a certificate issuer who has an expired certificate on their own secure server. What's their excuse for having an expired self-signed cert???
Hmm, I'm a notary in California, and the standard notary journal here, at least, have a place in which your identification is recorded (and if it's a real estate transaction, your thumbprint is mandatory now). The notary organizations have manuals dedicated to helping notaries around the country recognize real and forged state driver's licenses and other official identification that contains both a picture, a physical description and a signature.
If a notary knows you personally, the notary can in most situations simply note that you were personally recognized in the journal.
I used my ham radio call sign for the 'national ID' -- seemed an ideal choice for this situation.
As someone who HAS gone through both of these processes (WebTrust, Microsoft), let me shed some truth on some of the speculations here.
/etc/password file clean of employees who have left your company since the last audit.
1) Microsoft doesn't charge anything to be "trusted"; they've primarily let the AICPA manage that through their "WebTrust for Certification Authorities" do that. (Microsoft will also allow the requestor to use another audit, but it's up to the CA to determine equivalency to WebTrust's audit.
Microsoft posts their requirements to get included in their Trusted Root List here: microsoft.com
Once you get a WebTrust audit seal and can prove to Microsoft that your CA will issue certs to something OTHER than your enterprise, you should be fine.
The WebTrust CA criteria was designed to help CAs follow a set of standardized evaluation criteria. Like an RFC tries to enforce that protocols are standard. The WebTrust criteria is available for free at the AICPA website (AICPA). There are almost 400 criteria that a WebTrust auditor will use to evaluate your CA (not just the "host" but all your CA company's policies, practices, and processes).
To the person who said that you could just "hire a bunch of lawyers" for $250,000 and pass, I say "I highly doubt that". The WebTrust audit requires their auditors to actually see and verify the CA complies with the requirements. A box of lawyers can't create CA issuance log files, show how you maintain your HSM, or prove that you keep your
2) Once CAcert gets a WebTrust Seal, then they can fill out the application at Microsoft's site. If they're accepted, they get into the next quarterly Root List update issued by Microsoft (next update: this month).
After they're "in the list", WinXP machines will automatically download the new root cert whenever IE/Outlook performs a certificate path validation operation and sees the CACert root. It's automagic. Older Windows OSes will need to get the new root list from the WindowsUpdate site.