Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is It Time For an Open Source Certificate Authority?

Posted by CmdrTaco on from the definitely-time-for-ice-cream dept.

cagnol writes "So far there are three free ways to get a free certificate to sign your email and receive encrypted communications: Thawte, Comodo and CAcert. Thawte's root certificate is in mainstream browsers. Thawte's interface is good and the web of trust allows for increased security by verifying people's identity. However Thawte is not open-source; worse: it is owned by VeriSign. Comodo's root certificate is in mainstream browsers too but there is no web of trust and their forms are not always working. CAcert is the closest to an open-source certificate authority but is not open-source and it seems that parts of the system are shaky. CAcert provides a web of trust. Unfortunately, CAcert's root certificate is not in mainstream browsers. Don't you think it is time for a true open-source certificate authority? Should this community be related to the Mozilla Foundation and comply, since day one, with the requirements to get a root certificate in Firefox?"

6 of 219 comments (clear)

  1. Root certificate inclusion is expensive by wizman · · Score: 5, Informative

    Having an open source CA is one thing. Having the root certificate included in major browsers is an expensive endeavor. The www.cacert.org site has an FAQ entry about this:

    http://wiki.cacert.org/wiki/InclusionStatus

    Summary: Lots of open source browsers already have the cert; Mozilla/Firefox will have it soon. Internet Explorer (and apparently Apple's Safari) won't have it unless they come up with a way to pay for the $75,000+ plus $10,000 a year for a AICPA WebTrust audit.

  2. Main use would be code-signing by badzilla · · Score: 3, Informative

    It's already possible to get SSL server certificates for a few dollars; these "work" in the sense of not triggering scary browser messages but are essentially worthless in the sense that they do not provide any further positive identification of site ownership. Unfortunately it's hard to see how anything "open source" could improve on this, unless the open source CA were willing to provide background-checking services for free.

    It's also already possible to get high quality free/beer personal identification certificates for example the Thawte Web Of Trust who issue personal certs based on real-world check of national ID such as passport.

    What we really need from an open CA is something you cannot to my knowledge get elsewhere which is reliable code-signing certificates without spending hundreds of dollars.

    --
    "Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
  3. Re:Zimmerman has it right . by Anonymous Coward · · Score: 3, Informative

    That is incidentially how SSH authentication works. The host key is cached along with the host name, so if it is different the next time you connect, you'll get a big warning.

  4. Re:Advertise it for other than e-commerce. by TheRaven64 · · Score: 5, Informative
    I use a CACert certificate on a couple of mail servers, for outbound SMTP and inbound POP/IMAP. If I need to re-create the certificate, none of the users has to know anything about it, as long as they added the CACert root to their client; the old and new ones are both signed by the same root, and so it just works.

    I don't really understand what the original poster meant by saying CACert is not open source. Open source doesn't really apply to something like a certificate authority, because they are not providing software. Anyone can get a CACert certificate at no cost. All you have to do is show two forms of government-issued ID (one with a photo) to an existing member. The more people who assure you in this way, the better the certificate you can get, and eventually you are allowed to start assuring people yourself. The problems I see with CACert are:

    1. There is not yet a good infrastructure for assuring organisations. Non-profits would benefit a lot from this kind of thing.
    2. There is no good revocation mechanism, nor a good verification mechanism. The points A gets from being assured by B and C are the same, even if C was assured by B. It would be better if you had to be assured by people from divergent branches of the tree.
    3. Due to the way IE handles root CAs (i.e. pay lots of money), it is not likely to get in there for a very long time.
    --
    I am TheRaven on Soylent News
  5. Re:am I missing something here? by Solra+Bizna · · Score: 3, Informative

    You're welcome to teach my grandmother how to personally audit every line of source code for every program she ever installs.

    Certificates have other uses than blob signing. If nothing else, the current infrastructure of "web" certificates would allow you to verify that the mozilla.org you're about to download and run executable code from is mozilla.org and not some leet h4xxor who owned your ISP's DNS server. They're also supposed to be able to verify that it's Amazon.com Inc. you're about to give your credit card number to and you're not really at a carefully cloaked amazonn.com but in practice that kind of protection isn't dependable.

    I wish the Mozilla foundation would get a cert; AFAICT they don't have one and it freaks me out whenever I download an extension....

    -:sigma.SB (the paranoid)

    --
    WARN
    THERE IS ANOTHER SYSTEM
  6. Thwaite, eh? by zCyl · · Score: 3, Informative

    I trust Thwaite a whole lot more than I trust an Anonymous Coward on Slashdot.

    Thanks for proving a key point:

    Thwaite

    Thawte