Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is It Time For an Open Source Certificate Authority?

Posted by CmdrTaco on from the definitely-time-for-ice-cream dept.

cagnol writes "So far there are three free ways to get a free certificate to sign your email and receive encrypted communications: Thawte, Comodo and CAcert. Thawte's root certificate is in mainstream browsers. Thawte's interface is good and the web of trust allows for increased security by verifying people's identity. However Thawte is not open-source; worse: it is owned by VeriSign. Comodo's root certificate is in mainstream browsers too but there is no web of trust and their forms are not always working. CAcert is the closest to an open-source certificate authority but is not open-source and it seems that parts of the system are shaky. CAcert provides a web of trust. Unfortunately, CAcert's root certificate is not in mainstream browsers. Don't you think it is time for a true open-source certificate authority? Should this community be related to the Mozilla Foundation and comply, since day one, with the requirements to get a root certificate in Firefox?"

15 of 219 comments (clear)

  1. Root certificate inclusion is expensive by wizman · · Score: 5, Informative

    Having an open source CA is one thing. Having the root certificate included in major browsers is an expensive endeavor. The www.cacert.org site has an FAQ entry about this:

    http://wiki.cacert.org/wiki/InclusionStatus

    Summary: Lots of open source browsers already have the cert; Mozilla/Firefox will have it soon. Internet Explorer (and apparently Apple's Safari) won't have it unless they come up with a way to pay for the $75,000+ plus $10,000 a year for a AICPA WebTrust audit.

  2. Main use would be code-signing by badzilla · · Score: 3, Informative

    It's already possible to get SSL server certificates for a few dollars; these "work" in the sense of not triggering scary browser messages but are essentially worthless in the sense that they do not provide any further positive identification of site ownership. Unfortunately it's hard to see how anything "open source" could improve on this, unless the open source CA were willing to provide background-checking services for free.

    It's also already possible to get high quality free/beer personal identification certificates for example the Thawte Web Of Trust who issue personal certs based on real-world check of national ID such as passport.

    What we really need from an open CA is something you cannot to my knowledge get elsewhere which is reliable code-signing certificates without spending hundreds of dollars.

    --
    "Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
  3. Re:Zimmerman has it right . by Anonymous Coward · · Score: 3, Informative

    That is incidentially how SSH authentication works. The host key is cached along with the host name, so if it is different the next time you connect, you'll get a big warning.

  4. Re:CACert TTP program by crush · · Score: 2, Informative

    Here's a link to the paperwork, and here's some info about it

  5. Re:Advertise it for other than e-commerce. by TheRaven64 · · Score: 5, Informative
    I use a CACert certificate on a couple of mail servers, for outbound SMTP and inbound POP/IMAP. If I need to re-create the certificate, none of the users has to know anything about it, as long as they added the CACert root to their client; the old and new ones are both signed by the same root, and so it just works.

    I don't really understand what the original poster meant by saying CACert is not open source. Open source doesn't really apply to something like a certificate authority, because they are not providing software. Anyone can get a CACert certificate at no cost. All you have to do is show two forms of government-issued ID (one with a photo) to an existing member. The more people who assure you in this way, the better the certificate you can get, and eventually you are allowed to start assuring people yourself. The problems I see with CACert are:

    1. There is not yet a good infrastructure for assuring organisations. Non-profits would benefit a lot from this kind of thing.
    2. There is no good revocation mechanism, nor a good verification mechanism. The points A gets from being assured by B and C are the same, even if C was assured by B. It would be better if you had to be assured by people from divergent branches of the tree.
    3. Due to the way IE handles root CAs (i.e. pay lots of money), it is not likely to get in there for a very long time.
    --
    I am TheRaven on Soylent News
  6. How do you get the "Trust" part? by tji · · Score: 2, Informative


    Open Source CAs are pretty straightforward. All the code is available, and people are already doing it. The difficult part is establishing the trust model. The root CA needs to be well managed. But, more difficult is the process for issuing new certificates. If you just give cert's out without strong validation of who you're giving it to, your trust model is worthless. If anyone can go in and freely get a cert, what confidence do you have that the cert holder is not a "bad guy"?

    That's why commercial CA's, like Verisign,cost money, and provide a real service. They do try to verify the organization they give cert's to. It may not be perfect,and many people complain about how strong that validation is. I can imagine what those people would think about an open source CA, and their level of validation before providing certs.

  7. Absolutely Yes by Apreche · · Score: 1, Informative

    In order to do any sort of secure transaction on the web, you need SSL. If people don't see the little lock icon, they will be very unlikely to trust your website. To get that icon you need a signed SSL certificate. Sure, you can sign your own. However, if your cert isn't in the browser, then users will get a warning popup that your site might not be safe. That's worse than not having the lock in the first place.

    Verisign, Comodo, and others have a big scam going on. Whoever wants to conduct secure business on the web needs to pay one of them a toll to get their certificates signed. There's no reason that this should cost money. Signing a certificate is such a trivial activity. It's more effort to write this post on Slashdot than it is to sign a cert.

    We either need a new security mechanism for secure transactions on the web or we need a free and secure way to get certs signed. Without this, we will always have a few companies acting as gatekeepers deciding who is allowed to conduct secure commerce on the web. That is not cool.

    --
    The GeekNights podcast is going strong. Listen!
  8. Re:am I missing something here? by Solra+Bizna · · Score: 3, Informative

    You're welcome to teach my grandmother how to personally audit every line of source code for every program she ever installs.

    Certificates have other uses than blob signing. If nothing else, the current infrastructure of "web" certificates would allow you to verify that the mozilla.org you're about to download and run executable code from is mozilla.org and not some leet h4xxor who owned your ISP's DNS server. They're also supposed to be able to verify that it's Amazon.com Inc. you're about to give your credit card number to and you're not really at a carefully cloaked amazonn.com but in practice that kind of protection isn't dependable.

    I wish the Mozilla foundation would get a cert; AFAICT they don't have one and it freaks me out whenever I download an extension....

    -:sigma.SB (the paranoid)

    --
    WARN
    THERE IS ANOTHER SYSTEM
  9. Re:Zimmerman has it right . by Workaphobia · · Score: 2, Informative

    I don't think I understand how your statements follow from mine. How is authorization going to require infinite employees answering requests in finite time? Why are employees even involved?

    --
    Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
  10. Re:Zimmerman has it right . by bcrowell · · Score: 2, Informative
    You're actually interested in whether this Ckwop guy I'm speaking to now is the same guy as I spoke to last-time. [...] When you weaken your security requirement to this position, you can remove a staggering amount of complexity.
    A couple more reasons why a free certification authority is not as useful or feasible as one might think:
    1. The traditional service is useless unless someone is going to check on the real-world credentials of the person applying for a certificate. That means there have to be office workers sitting around in cubicles processing paperwork: please fax us a copy of a recent utility bill, blah blah blah. Does that sound like fun, or does it sound like work? Does it sound like something that Mr. J. Bearded Hacker feels like doing all day as his contribution to the free information movement? Sure, theoretically you can have a web of trust based on key signing parties, etc., but in reality that's never taken off to the point where it was a useful option for most businesses.
    2. I think a lot of people who complain about the expense of certificates are individuals who would like to set up their own apache server and take credit card transactions via https. The fact that they're worried about this particular expense tells you that they're probably hobbyists who aren't serious about running a business full time. Well, I've had some experience with taking credit card transactions for a hobby business, and I can tell you that you just don't want to do it. Setting up a merchant account is a lot of hassle. Dealing with transactions is a lot of hassle. You're actually setting up a business relationship with three or four different companies that are involved in the process, and when there's a problem, each one will blame all the others. You're dealing with customers who use stolen cards. You're telling the companies your banking info, and then as time goes on they start putting mysterious monthly charges on your account, which you have to fight them about. If you're making a living by running a restaurant, then by all means, you need to have a merchant account. If you're a hobbyist, you should find some other way to handle transactions.
    --
    Find free books.
  11. Re:In reality... by pjt33 · · Score: 2, Informative

    Why should certificates be tied to business licences? You don't have to be a business to want to use SSL with your website.

  12. Re:What's by Workaphobia · · Score: 2, Informative

    None. The card's just an artifact of the past. Under the current system even, there's no reason to have a card in internet shopping if you have your number and security code written down on a piece of paper.

    --
    Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
  13. Thwaite, eh? by zCyl · · Score: 3, Informative

    I trust Thwaite a whole lot more than I trust an Anonymous Coward on Slashdot.

    Thanks for proving a key point:

    Thwaite

    Thawte
  14. PGP != CA by DrYak · · Score: 2, Informative

    That's two different thing :

    PGP (and GPG) are systems using public/private key pairs. They are used to encrypt/decrypt or sign data from one point to another in a transmission.
    The thing that you are sure is that given one public key, only the corresponding private key in the pair could process the data in the opposite direction. (Completely independent of where that other key is).

    CA are certificate. They certify that the person using a given key IS a person with characteristics specified in the certificate. For example, a CACert certificate always certifies that a given key was issued to some specific e-mail (and if you follow the correct procedure, you could also certify other verifiable informations like you name, etc.)
    The thing you are (somewhat) sure is who the person with the other key is supposed to be.

    PGP are about making key pairs, CA are about knowing who is (supposed to be) who.

    The current problem is that, with most current application, you can only use keys issued by CA's for web site, mail servers and similar, and you have only 4 options : 3 of them being the 3 listed companies, the 4th being being your own CA and signing and certifying your own keys yourself (but in that case, it's difficult to trust the signing because no browser has a corresponding CA key to check your CA certificate. Whereas keys issued from Thawte, Comodo and CACert could be checked against the their key that a browser comes with)

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  15. Re:Zimmerman has it right . by zantolak · · Score: 1, Informative

    I think a lot of people who complain about the expense of certificates are individuals who would like to set up their own apache server and take credit card transactions via https. The fact that they're worried about this particular expense tells you that they're probably hobbyists who aren't serious about running a business full time.
    Or they think encryption should be available for all HTTP traffic instead of forcing people to pay hundreds of dollars to these "authority" rackets for something functionally equivalent and just as secure as a self-signed certificate, just so the end user's browser doesn't pop up a warning because they dared to use a certificate that isn't from a company that managed to convince browser manufacturers that they're somehow more worthy of being trusted. Certificate authorities are a scam, plain and simple. Encryption needs to be freely available for everyone, not just people willing to shell out an extra $100-400 a year for something they could do themselves.