Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Certificate Authority Unveiled by Aussies

Posted by CowboyNeal on from the good-things-from-down-under dept.

SonOfGates writes "Well, the Aussies have invaded Boston but at least they're not throwing tea into the harbor. AU-based nonprofit CAcert Inc has spent the last few days at USENIX '04 registering new users by the truckload. They bill themselves as a 'Community-Based CA.' Could this be the begining of a true 'open' certificate authority? See the O'Reilly story and press release."

12 of 284 comments (clear)

  1. Good for them by A.+Pizmo+Clam · · Score: 5, Informative

    Many ISP's and low-budget group have self-signed certs. They're easy to make. Hopefully this project will make it easier. I have quite often seen sites with a self-signed cert and another page giving the fingerprint of the cert. Most vendors allow these, but they aren't "trusted".

    The only reason the big companies charge so much (their claim, not mine) is the insurance they provide, and the fact that they are "trusted" by the various vendors.

    Any new group wanting to be a trusted CA will face the liability issue -- if one of your customers sues you, even if you try to disclaim all liability up front, you will still face massive court fees. Even if you won in court, you would lose financially if not insured.

    There is no technical or logistical problem with setting up a Free (and free) common-geek's CA, the problems are entirely legal ones. I know because I looked into it right after SSL came out. It looks like a good business plan, right up until someone takes you to court.

    --

    Thank you for your support.
  2. Note to users (from their website) by kai5263499 · · Score: 3, Informative

    Note: If you plan to use these certificates with Internet Explorer, Outlook, or Outlook Express then generate the certificate from within Internet Explorer. They can't be sucessfully imported into Internet Explorer. Believe us, we've tried...

    --
    -Wes
  3. Re:who else remmbers by ErichTheWebGuy · · Score: 4, Informative

    Yea, you can do it in IE too. The problem is that end-users do not know how to, and the whole concept is completely foreign to them.

    Sad as it may be, IE is still used by something like 85% of the world.

    --
    bash: rtfm: command not found
  4. Re:Maybe. by nachoboy · · Score: 4, Informative

    Verisign acquired Thawte in late 1999. Though they acknowledge the fact on their corporate website, they don't exactly make it obvious they no longer compete with Verisign.

  5. Re:Sounds like... by casuist99 · · Score: 5, Informative

    I know it's not non-profit, but Thawte does provide personal certificates for free. You can use them for email encryption and signing without any difficulty. As for server certificates (https, etc), I think you'd have to pay for, but for personal email usage, Thawte is a pretty good option.

  6. Alternatively... by temojen · · Score: 4, Informative

    Here's a summary of a proposal I wrote for canadian provinces...

    The Governor General's office acts as the root CA for Government Ministries & Crown Corporations and Professional Associations.

    Any professional association (Bar Association, College of Physicians & Surgeons, Engineers, etc) acts as a CA for it's members and corporations working in their field (Law firms (lawyers, paralegals, legal secretaries), Medical Clinics (Doctors, Nurses, X-Ray Techs, Appointment Clerks), etc)

    Certified Accountants act as a CA for Corporations, Societies, Partnerships, etc.

    The Notaries public act as a CA for individuals.

  7. Re:Sounds like... by YOU+LIKEWISE+FAIL+IT · · Score: 4, Informative

    I use a Thawte p.cert to sign my email - there's a good writeup on configuring it to work with OSX's Mail.app here -- also a good example on how to provide visually appealing technical documentation that I can talk non-technically inclined people into reading.

    -- YLFI
    --
    One god, one market, one truth, one consumer.
  8. Denmark has this... by Jezral · · Score: 5, Informative

    Denmark has free digital signatures for all citizen, for use in email, to sign in on sites, etc...

    URLs:
    - http://www.digitalsignatur.dk/
    - http://privat.tdc.dk/digital/
    (both in Danish, though...)

    The technicalities are run by the largest phone company/ISP, TDC, but otherwise it's fully a government thing.

  9. Re:About time... by SpecBear · · Score: 3, Informative

    SSL certificates assure two things:

    1) You communications are encrypted and can't be interecepted in transit. These days this is a trivial thing and can easily be provided with a self-signed cert.
    2) The identity of the site owner has been verified. The trusted certificate authority has taken some measures to assure that the site has been authorized by the entity named in the certificate. This is not trivial.

    Without #2, it's not too hard to set up a fake site and hijack someone's traffic. You can then collect usernames and passwords, or distribute false information. Imagine if someone uses a BIND exploit to take over your ISP's DNS servers and reroutes yourbank.com to a fake site. When you pay for a certificate from a trusted CA, you're paying for #2. If you don't care about #2 for your purposes, then you can act as your own certificate authority.

  10. Re:who else remmbers by 0racle · · Score: 4, Informative

    Services for Unix is widely known to use BSD licensed code and utilities from the OpenBSD project. The TCP/IP stack in early NT products was BSD code, and its possible some of the utilities, the ftp client for example, is still BSD code.

    Microsoft doesn't like the GPL, but the GPL is not the be all and the end all of Free Software. Microsoft has no problems with other open licenses.

    --
    "I use a Mac because I'm just better than you are."
  11. Most commercial certs are worthless by Animats · · Score: 4, Informative
    Most certificates certify nothing. The issuer guarantees nothing, and the "relying party agreement", if you can find it, promises very little, if anything.

    For example, see the TrueSite Relying Party Agreement. "The Service is provided on an as-is basis without warranties of any kind".

    Even Verisign's Relying Party Agreement, while it does offer some warranties, has a complicated scheme for weaseling out of Verisign's obligation to verify the certificate holder's identity. The relying party agreement refers you to the CPS Section 11, says "Issuing authorities (and VeriSign, to the extent specified in the referenced CPS sections) warrant and promise to ... perform the application validation procedures for the indicated class of certificate as set forth in CPS Section 5, Validation of Certificate Applications." There, Verisign says "The IA shall confirm that ... the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI)." The linked definition of "nonverified subscriber information" is "Information supplied to a certification authority as part of a certificate application". So Verisign doesn't actually stand behind any of the information in their certificates.

    This is much weaker than a signature guarantee by a commercial bank, where the bank guarantees to other parties that the person was properly identified. But it costs more.

    I'd like to see banks belonging to Visa International and MasterCard issue digital certificates, and require that their certificates had to be on a page that accepted their credit cards. Certificates from banks would actually be worth something.

  12. Root certificate for Redhat, Opera, Mozilla by stray · · Score: 5, Informative
    In the June edition of ;login: (the Usenix Association's magazine), there is an article by Adam Butler (of CAcert) describing the project and shedding some light on the process of getting a CA root certificate included into various browsers:

    Quote from the article:

    "In true Microsoft style, Redmond adopted a new metric for determining whether a CA's root certificate is to be included with its browser/OS/kitchen-sink product: In order for a CA's root certificate to be accepted - I swear I'm not making this up - Redmond said CA must pay a WebTrust-licensed member of the American Institute of Certified Public Accountants up to $250,000 for an initial evaluation/inspection, plus additional tens of thousands of dollars in fees on a periodic "follow-up" basis.

    The makers of the Opera Web browser did not respond to email queries regarding their inclusion policies/requirements; however, a Bermuda-based CA representative stated in the netscape.public.mozilla.crypto newsgroup that "as of [his] last contact in 2003, Opera wanted cash to add a CA [root certificate]. They did not appear to have a standards policy.".


    He goes on to describe the process of getting the root cert, hopefully, included into the Mozilla project through a Bugzilla feature enhancement request. From what I read from the article, the discussion about this is still going on.