Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Certificate Authority Unveiled by Aussies

Posted by CowboyNeal on from the good-things-from-down-under dept.

SonOfGates writes "Well, the Aussies have invaded Boston but at least they're not throwing tea into the harbor. AU-based nonprofit CAcert Inc has spent the last few days at USENIX '04 registering new users by the truckload. They bill themselves as a 'Community-Based CA.' Could this be the begining of a true 'open' certificate authority? See the O'Reilly story and press release."

10 of 284 comments (clear)

  1. who else remmbers by ErichTheWebGuy · · Score: 5, Insightful

    when Microsoft released that update for IE that included lots of new CAs? Anyone think this one will be included in the next one? My guess is no, judging from Microsoft's general resistance to anything open.

    But, we might be surprised. Opinions anyone?

    ps. Maybe they should patch the browser first ;)

    --
    bash: rtfm: command not found
    1. Re:who else remmbers by 0racle · · Score: 4, Insightful

      Microsoft has no resistance to *everything* open, despite what you read on Slashdot.

      --
      "I use a Mac because I'm just better than you are."
  2. Re:Verisign/Thawte = mafia by justMichael · · Score: 4, Insightful

    While I agree with you completely. It all depends on what you are using it for.

    The problem with rolling your own is when a browser hits it, it burps up an error saying it can't verify the validity of the cert. Depending on what you are using the cert for, who cares.

    I have my webmail server forced through https with a self signed cert. If someone that uses my webmail server doesn't like it it's no skin off my butt (I provide free mail to a few friends).

    For any business sites that I setup I suggest InstantSSL, they are cheap, fast and trusted by pretty much any browser around. And that is the important part when selling to the public, that they don't get some warning. Most of them will never even look to see if the page is encrypted but if they get some funky warning odds are they will leave.

  3. Cry cry cry, certs aren't free. by t0qer · · Score: 4, Insightful

    I don't see what everyone is crying about certs costing money for. Seeing as how i've setup online shops for several people using certs, I think for what they do, the cost is justified.

    Not just anyone can get a CA cert. You have to be a business, I know verisign wants a copy of your business license, ect before they even issue you a cert.

    Now we got this "open CA". Who is going to check if these are legitimate businesses? Will there be any checks done at all, or will it just be "by the truckload" as the headline said?

    I'm all for saving a buck as much as the next guy, but when I shop online, knowing that the cert came from a trusted source that actually checks if it's issuing a cert to a legitimate business like verisign or thawte puts my mind, as well as the minds of a lot of others.

    1. Re:Cry cry cry, certs aren't free. by mabu · · Score: 4, Insightful

      hmmm depends. personally i usually wouldn't be handing my cc number to a company that won't pay for it's own cert and is using a shared hosting one, unless i already knew they were ok beforehand.

      First and foremost, the Fair Credit Billing Act of 1976 protects consumers against most credit card fraud, so the whole notion of fraud being a major issue is essentially blown out of preportion. If someone charges something to your credit card, you charge it back and the burden is on the merchant to prove the legitimacy of the transaction or they lose, so there's never been much of a threat for consumers anyway.

      Second, the way things have been going, customers are likely to get better products and services from smaller companies, many of whom may not be that technically inclined but instead tend to spend their energy on providing their core products and services and not running their own web servers.

      Our ISP handles more than US$5M/month in online transactions for many companies much larger than ourselves, and we operate most sites under our umbrella SSL Cert. Never had any complaints.

      The issue is not unlike Paypal. People accept Paypal on their web sites. When you go to complete the transaction, you're switched to Paypal's servers - there's no easy way around that. Consumers are used to this and companies like mine go out of our way to establish our reputation as a trusted provider of solid, secure e-commerce. Clients that use our services benefit from our reputation and performance. Everything works fine.

  4. Re:About time... by torinth · · Score: 4, Insightful

    No infrastructure? No talking to servers? Que?

    Without CA's and revocation information, SSL-style (RSA) public key infrastructures are useless. That means every client needs access to recently updated and TRUSTED revocation lists to make sure that no cert's have been forged or stolen. Every meaningful SSL client should periodically verify that any server certificates it uses are and remain valid. Using the CA's public key is absolutely NOT sufficient.

  5. Re:About time... by asdfghjklqwertyuiop · · Score: 4, Insightful

    The servage is cheap since it doesn't even involve talking to their servers, just checking acceptance via a signing key... ANYONE can do that..! NO infrastructure!


    I think you're forgetting the part about actually verifying the authenticity of what they're signing.

    IE, If I send them a certificate signing request with my public key and a name of George W Bush on the CSR, are they just gonna go ahead and sign it and give me a certificate stating that I'm George W Bush?

    Certficate authorities usually require you to provide them with proof of your identity, like faxing you a driver's license, birth certificate, buisness license, trying to contact you at the stated address and phone number, etc... if they didn't do this, they wouldn't be very useful CAs... the certificates they issue would be meaningless.

    Of course, this is not to say that the expensive commercial CAs are trustworthy simply because they charge money... not at all. But to be an useful CA you need to have the manpower to verify the stuff people ask you to sign. I wonder how this free CA will accomplish that.
  6. Re:About time... by mindmaster064 · · Score: 5, Insightful

    Exactly how many certificates have you seen revoked? And how many of these revocation lists are going around? I agree that the implementation of the certs is screwy, since basically it means nothing at this point other than the fact that you are communicating over SSL. Basically from a browser standpoint the implementation of certificates is completely worthless since the authentication checking is just not there. The X.509 cert's were originally designed to completely authenticate that you are talking to the host/person you intended to. Since browsers currently do absolutely nothing but a check vs. the public CA key basically any cert the CA issued regardless of status (other that those that have expired with time) are complete valid certs. They could have been forged, stolen, or otherwise abused but we trust them anyway... Really a sad state of things.... X.509 revocations do exist, but since there really is no universal Public Key Infrastructure (for the non-security guru), or rather the browsers don't even TRY or HAVE A WAY to validate them in most cases they really don't mean much at all...

    -Mind

  7. Re:But what browsers will support by njdj · · Score: 4, Insightful
    If Internet Explorer doesn't support it's unfortunately not very useful.

    Translation: You still use Microsoft Internet Explorer.

    People who use MSIE obviously are not concerned about privacy or security, so CAs are irrelevant to them.

    Consequently, people who still use MSIE are irrelevant to those of us who are concerned about privacy and security. People who are concerned about privacy and security are a small minority of Internet users. That doesn't mean we shouldn't try to get the privacy and security we want.

  8. We want to believe in CACert... but ... by njdj · · Score: 4, Insightful
    When I saw this news, my reaction was that it's great and I want to support it. Verisign et al have been too greedy for too long.

    But we have to be careful that we don't let our "wish to believe" blind us to the need for some caution here. Take at look at CACert's site. You'll find carelessness, spelling mistakes, pieces that have not been thought out. Running a CA properly requires meticulous attention to detail, and their site shows the opposite. On the very first page when you sign up, it asks for your name, date of birth, and "country". Is that country of citizenship, or country of residence?

    Then there's the reliance on "government ID". If somebody presents Nigerian ID, or Dominican Republic ID, what exactly is that worth? It's not worth anything, you can bribe officials in those countries (and many others) to issue whatever official document you want. Does that mean that citizens of Nigeria can never be trusted? That's well over 100 million people in just that one country, most of whom are honest and trustworthy. It's ridiculous to exclude so many people from receiving certificates just because their bureaucrats are corrupt, and it's completely contrary to the transnational spirit of the Internet.

    In conclusion, the idea behind CACert is a good one, but the people running it don't seem to be doing a good job. I hope that somebody else takes up the idea and does it better. There is no reason why there should not be more than one volunteer-based CA.