Slashdot Mirror
Free Certificate Authority Unveiled by Aussies
SonOfGates writes "Well, the Aussies have invaded Boston but at least they're not throwing tea into the harbor. AU-based nonprofit CAcert Inc has spent the last few days at USENIX '04 registering new users by the truckload. They bill themselves as a 'Community-Based CA.' Could this be the begining of a true 'open' certificate authority? See the O'Reilly story and press release."
when Microsoft released that update for IE that included lots of new CAs? Anyone think this one will be included in the next one? My guess is no, judging from Microsoft's general resistance to anything open.
;)
But, we might be surprised. Opinions anyone?
ps. Maybe they should patch the browser first
bash: rtfm: command not found
Many ISP's and low-budget group have self-signed certs. They're easy to make. Hopefully this project will make it easier. I have quite often seen sites with a self-signed cert and another page giving the fingerprint of the cert. Most vendors allow these, but they aren't "trusted".
The only reason the big companies charge so much (their claim, not mine) is the insurance they provide, and the fact that they are "trusted" by the various vendors.
Any new group wanting to be a trusted CA will face the liability issue -- if one of your customers sues you, even if you try to disclaim all liability up front, you will still face massive court fees. Even if you won in court, you would lose financially if not insured.
There is no technical or logistical problem with setting up a Free (and free) common-geek's CA, the problems are entirely legal ones. I know because I looked into it right after SSL came out. It looks like a good business plan, right up until someone takes you to court.
Thank you for your support.
While I normally think the government should keep its nose out of most places, I think this is one place where the goverment could actually do some good. Just like many states and goverments proved offically accepted picture IDs to individuals, I think they could easily set up a service to provide offical digital IDs to all the citizens. Companies like Verisign may still have a role in providing corporate certs, etc, but I think the goverment is the best way to provide a universally recoginized digital ID to everyone.
The whole notion that a Cert authority is needed is essentially bogus in my opinion. We've been rolling our own certs for years for all but the main e-commerce web servers. Who wants to pay the outrageous extortion fees Verisign/Thawte charge and jump through the goofy hoops? I bite my lip and do this every two years for the main web server just so my clients don't totally (unnecessarily) freak out at the prospect of a dialogue box popping up in SSL mode warning them that Microsoft's "paranoia-protection-money" wasn't paid-off.
The Cert authorities are a joke. We registered one CA with Verisign with virtually no documentation, and another time, when renewing an existing, different cert, they demanded everything short of a blood test for "authentication." It's nothing short of criminal considering they charge $200+ for something that takes 10ms to generate that they make people wait weeks for, and in no way guarantees superior security, and they'll make certs for anyone with money so the identity checking is BS and moot.
I'm all for a free certifying agency, but you can also roll-your-own with OpenSSL.
However, the most common usage of SSL cert's is simply to enable encryption between two points. For this, there's nothing wrong with even a home-brew cert - validation of the cert via it matching the domain should be sufficient. A SSL cert generated by a 3rd party adds absolutely nothing to security, and it shouldn't do anything to reassure the customer/client that they're dealing with a legitimate operation.
It prevents man-in-the-middle attacks. That's the most important reason for me to use a trusted CA.
I know it's not non-profit, but Thawte does provide personal certificates for free. You can use them for email encryption and signing without any difficulty. As for server certificates (https, etc), I think you'd have to pay for, but for personal email usage, Thawte is a pretty good option.
Denmark has free digital signatures for all citizen, for use in email, to sign in on sites, etc...
URLs:
- http://www.digitalsignatur.dk/
- http://privat.tdc.dk/digital/
(both in Danish, though...)
The technicalities are run by the largest phone company/ISP, TDC, but otherwise it's fully a government thing.
Exactly how many certificates have you seen revoked? And how many of these revocation lists are going around? I agree that the implementation of the certs is screwy, since basically it means nothing at this point other than the fact that you are communicating over SSL. Basically from a browser standpoint the implementation of certificates is completely worthless since the authentication checking is just not there. The X.509 cert's were originally designed to completely authenticate that you are talking to the host/person you intended to. Since browsers currently do absolutely nothing but a check vs. the public CA key basically any cert the CA issued regardless of status (other that those that have expired with time) are complete valid certs. They could have been forged, stolen, or otherwise abused but we trust them anyway... Really a sad state of things.... X.509 revocations do exist, but since there really is no universal Public Key Infrastructure (for the non-security guru), or rather the browsers don't even TRY or HAVE A WAY to validate them in most cases they really don't mean much at all...
-Mind
Quote from the article:
He goes on to describe the process of getting the root cert, hopefully, included into the Mozilla project through a Bugzilla feature enhancement request. From what I read from the article, the discussion about this is still going on.