Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is It Time For an Open Source Certificate Authority?

Posted by CmdrTaco on from the definitely-time-for-ice-cream dept.

cagnol writes "So far there are three free ways to get a free certificate to sign your email and receive encrypted communications: Thawte, Comodo and CAcert. Thawte's root certificate is in mainstream browsers. Thawte's interface is good and the web of trust allows for increased security by verifying people's identity. However Thawte is not open-source; worse: it is owned by VeriSign. Comodo's root certificate is in mainstream browsers too but there is no web of trust and their forms are not always working. CAcert is the closest to an open-source certificate authority but is not open-source and it seems that parts of the system are shaky. CAcert provides a web of trust. Unfortunately, CAcert's root certificate is not in mainstream browsers. Don't you think it is time for a true open-source certificate authority? Should this community be related to the Mozilla Foundation and comply, since day one, with the requirements to get a root certificate in Firefox?"

2 of 219 comments (clear)

  1. Root certificate inclusion is expensive by wizman · · Score: 5, Informative

    Having an open source CA is one thing. Having the root certificate included in major browsers is an expensive endeavor. The www.cacert.org site has an FAQ entry about this:

    http://wiki.cacert.org/wiki/InclusionStatus

    Summary: Lots of open source browsers already have the cert; Mozilla/Firefox will have it soon. Internet Explorer (and apparently Apple's Safari) won't have it unless they come up with a way to pay for the $75,000+ plus $10,000 a year for a AICPA WebTrust audit.

  2. Re:Advertise it for other than e-commerce. by TheRaven64 · · Score: 5, Informative
    I use a CACert certificate on a couple of mail servers, for outbound SMTP and inbound POP/IMAP. If I need to re-create the certificate, none of the users has to know anything about it, as long as they added the CACert root to their client; the old and new ones are both signed by the same root, and so it just works.

    I don't really understand what the original poster meant by saying CACert is not open source. Open source doesn't really apply to something like a certificate authority, because they are not providing software. Anyone can get a CACert certificate at no cost. All you have to do is show two forms of government-issued ID (one with a photo) to an existing member. The more people who assure you in this way, the better the certificate you can get, and eventually you are allowed to start assuring people yourself. The problems I see with CACert are:

    1. There is not yet a good infrastructure for assuring organisations. Non-profits would benefit a lot from this kind of thing.
    2. There is no good revocation mechanism, nor a good verification mechanism. The points A gets from being assured by B and C are the same, even if C was assured by B. It would be better if you had to be assured by people from divergent branches of the tree.
    3. Due to the way IE handles root CAs (i.e. pay lots of money), it is not likely to get in there for a very long time.
    --
    I am TheRaven on Soylent News