Is It Time For an Open Source Certificate Authority?

cagnol writes "So far there are three free ways to get a free certificate to sign your email and receive encrypted communications: Thawte, Comodo and CAcert. Thawte's root certificate is in mainstream browsers. Thawte's interface is good and the web of trust allows for increased security by verifying people's identity. However Thawte is not open-source; worse: it is owned by VeriSign. Comodo's root certificate is in mainstream browsers too but there is no web of trust and their forms are not always working. CAcert is the closest to an open-source certificate authority but is not open-source and it seems that parts of the system are shaky. CAcert provides a web of trust. Unfortunately, CAcert's root certificate is not in mainstream browsers. Don't you think it is time for a true open-source certificate authority? Should this community be related to the Mozilla Foundation and comply, since day one, with the requirements to get a root certificate in Firefox?"

Advertise it for other than e-commerce.

[grahammm]

All of the current CAs seem to over emphasise the use of certificates for https servers and e-commerce. Their web sites mention this usage almost exclusively and if other uses of certificates are mentioned they are hidden away.

So if an open source CA is set up, it would be good for it to give more prominence to other uses of certificates, such as S/MIME, starttls for mail servers, for VPN authentication etc.

Why OpenSource?

[cybrangl]

Right now there are plenty of free certificate authority programs out there. The only difference is that the authorities are not trusted by the browsers. If you could have every authority trusted, the certificates would mean even less than they do now. All we really need to do is take the methodology CAcert uses and add their authority to the browsers.

YES! The government!

[bussdriver]

Certificate Authority:
secretaryofstate.state.us or departmentofcommerce.state.us
you should recognize who it is

Far more paperwork and verification is done to incorporate (business licenses.) They have to commit tougher crimes to sneak off with a corporation or LLC. You have multiple parties interested such as the IRS and secretary of state who look bad if dummy corps are floating around (you don't mess with the IRS gangsters.)

Certs allow for multiple signings if I'm remembering correctly. There is no reason freemarket freaks can't have their meaningless verisign certs or have verisign sign their government cert. There would still be a market for individuals and "high-end" additional verification but that would be just be for gullible people.

I've been saying this for a decade now. When will people come to their senses??
It wouldn't cost much. Local gov could source out the service for your irrational freemarket nuts.

My experience with government contractors:
1
politician X wants payoff for a friend
gov service is fattened up for the slaughter (sabotage or just talk)
politician X moves to kill
friend promises the world for half price and gets "special consideration" (for Bush skip this step)
friend doesn't meet obligations and/or goes over the bid (politicians in support cover their seat) ...
friend milks it for all its worth
Reformers kill contract or make it less profitable (friend moves to next city)
GOTO 1

Why some don't consider caCert open

[ChaseTec]

https://bugzilla.mozilla.org/show_bug.cgi?id=21524 3#c164

Pasting for those to lazy to follow the link.

Rich Freeman wrote:
>
> It just seems like as an organization we [The Mozilla Foundation]
> should be trying to foster open source projects.

Whoa, there. I'd just like to point out that CaCert is not an open source
project in any sense of the term. It uses open source software *internally* to
provide a free (as in beer) service, but CaCert distributes no free (as in
*freedom*) software, and no software that could even remotely be considered
open source. Just the opposite in fact, see the license here, on their site:
http://www.cacert.org/src-lic.php

It clearly states that you:
1. may NOT modify the source code [...]
2. may NOT make copies of the source code [...]
3. may NOT give, sell, loan, distribute, or transfer the source code files
to anyone else, an, my favorite:
4. may NOT use [CaCert] software created for any purpose or reason other than
verifying that there are no unknown vulnerabilities or the like or otherwise
making your own assessment of the integrity of the source code and the security
features of the CaCert software

Furthermore, below it goes on: "All rights not expressly granted to you
[editorial comment: which would be "none"] in these license terms are reserved
by CAcert. CaCert retains ownership of all copyrights and other intellectual
property rights throughout the world in the CAcert source code and software.
You agree that CAcert will be given a perpetual non-exclusive rights to any and
all derived code, and you hereby assign rights in any modifications you make to
the source code and in any bug reports you submit to CAcert."

This just may be the single most disgusting and ill-advised hybrid software
license I have ever read. The author apparently seeks to keep the software
100% proprietary, guarding it from "competitors", and protecting potential
future licensing revenue, while simultaneously benefiting from the efforts the
open source developer community to fix its bugs, and attest that it is not
malware, for free.

Although I wrote an impassioned comment (#12 above, of 161 so far!)
https://bugzilla.mozilla.org/show_bug.cgi?id=21524 3#c12 in *support* of
CaCaert, uh, 4 years ago now, and was a CaCert user and Assurer, I discontinued
my involvement because the source code was released by the founder only months
later, after much prompting and delay, and when it was finally unveiled, these
onerous licensing restrictions were "slipped in" with zero community
discussion.

When I asked why the code was not made open source, the founder described his
perceived threat that if it was made open source, then other free CA's would
start popping up out of nowhere to run our code and to compete with CaCert and
he felt that this would decrease CaCert's chances of getting its root cert into
Mozilla, and then IE.

This seemed a paranoid and protectionist attitude and I've no longer
participated in the Assurer program or the CaCert community since, though I
have monitored the mailing lists. After the founder's recently announced
resignation, perhaps the new board of directors (or whatever governing body
structure they adopt) will revisit this anti-competitive, closed source
position.

I had though a free CA would be a good thing, and if one is good, then two is
better, and hundred would be fantastic! So if they all *do* pop up, and share
code and development effort, I believe that all will benefit and perhaps,
someday, all will be accepted by all the browsers, and Verisign and the sma

Re:Zimmerman has it right .

Actually.... I wouldn't mind a secure RSS feed of my posted transactions...

Re:Zimmerman has it right .

[billcopc]

While that concept works great in other realms, the truth is Visa has no interest in reducing fraud. They profit from fraudulent transactions, and so do their customers. The ones who are hit hardest are the sellers, as not only do they have to pay ridiculous chargeback fees, they often lose the item they were selling.

Let's say you buy something off the net, then call a month later and declare the transaction as fraudulent.... IMMEDIATELY they yank the cash out of the merchant's account, send you a cute little form you have to sign and fax back, and a week later they refund your money. You get to keep the item because you have the benefit of the doubt, or to be more precise: Visa and MC treat all merchants as guilty by default.

One time I had a customer buy an item, a hard drive for example. Then once the card went through, he decided he wanted another one (twit). So I cut him a second invoice and charge the card again for the same amount. A month later I get a letter regarding the 2nd transaction being a "duplicate", that it had already been reversed and a hit filed on my record. It took another couple of weeks of me faxing serial numbers, signatures and ultimately sending video proof from my security cameras (with sound). I was just about ready to go reclaim the hard drive in person and rip the guy's head off. A month later a supposed review committee decided in my favor "in light of evidence provided".

Now I was providing physical products with a clear evidence of the transaction. I can only imagine how horrible the problem is for mail-order and online transactions. How can a merchant prove they sold something if they've never met the customer ?

Re:Zimmerman has it right .

[vux984]

That's essentially what paypal invoices are if you've got your CC setup.

You make purchase.
Vendor sends you paypal invoice.
You pay paypal invoice.
Paypal charges your card.
Paypal transfers money to merchant
Merchant sends you product

Works like a charm.

Except I hate paypal.

Sure wish Visa/MC/Amex would just implement this directly:

You make purchase
Vendor sends you Visa "Net" Invoice
I log into Visa "Net" and authorize it.
Visa transfers money to mercant and charges may card.

Oh wait... they did. Its called "Verified by VISA".
The difference is that as part of the merchant checkout I'm actually directed to the Verified by Visa site to authorize the transcation directly with VISA, and then routed back to the vender site. Its all pretty slick.

The ONLY issue with the system is that its vulnerable to phishing etc. How do I really know I've really been directed the Verified by Visa site? The merchant directed me there, I didn't go there myself. But really what can be done to fix it?

If they disconnected the process so I had to manually log in to VISA and auth the transaction, it wouldn't really be any safer. Merchants are going to want to be helpful and they'll include a link to the Visa site, which might even take me directly to the transaction. But that link could be a phish site! Even if VISA banned the practice of merchant including links to VISA to force users to use their own bookmarks or whatever that would accomplish nothing:

Legit merchants would be frustrated as idiot customers wouldn't complete the transaction. Shopping carts would get stale. In cases of hot products like the Wii, what do they do while they wait for customers to finish authorizing. Hold it? Or Sell it? It could be days before the customer gets around to logging in.

(I mention Wii because I've tried to buy one 3 times online now, and twice they've sold it out from under me WHILE I'm going through the checkout. Worse, they check my cart for availability before going into the checkout [I know this because I've had it happen a couple times that I got the item into my cart, but then couldn't even get into checkout as it had sold out], and then at the final submit after entering CC info etc they've sold it right out of my cart.

I understand not holding the cart contents for 24 hours, but come on... 3 minutes from pressing checkout?! Sorry, Just venting... My last order finally got through checkout so hopefully I'll actually get one this time.)

Meanwhile Illegitmate vendors will ignore the ban on links, and provide them. Customers ignorant or uncareful enough to fall for a phish attack, will fall for this too.

I don't know what the solution is, beyond requiring the customer to be slightly paranoid, and constantly vigilant. (And that's somewhat unrealistic.)

One solution I do think would work is a dedicated hardware solution. Where the vender displays a transaction number on the screen. I insert my card into an 'interac debit machine like box' punch in the transaction number on the boxes keypad, and perhaps a password, and the box communicates directly with VISA, to authorize the transaction. I'd even pay a one-time $50-$100 bucks to buy such a box, which is *entirely* feasible as it wouldn't really be anymore complex than a cheap nat/router.

The BOX would interact with the visa web site (web service), it would check certificates (to avoid dns spoofing, phishing sites, etc), and wouldn't be nearly as easy to fool as a person. And as a dedicated box, using certs, public key encryption, SSL, and other appropriate technologies it would pretty much take a firmware hack to defeat it.

It could probably even be made to work via USB to an internet connected computer instead of requiring its own network connection, and still be secure. Even if a virus/trojan replaced the drivers, I doubt they could perform an effective man-in-the-middle attack; all they'd get to see is encrypted traffic and a destination. Splicing it, or redirecting it wouldn't accomplish anything. There's even no reason that the system couldn't be available for Linux, or even GPL/OSS, as it doesn't rely on TPM/DRM at the OS level.

Dammit. Now I want one. :)

This is idiotic

[wasabii]

The entire idea of these companies is that they present a publicly viewable, *SUE-ABLE* name to ensure a path to the company applying for the certificate. An "open ca" would be utterly useless in accomplishing this.

The idea is that verisign and pals spend a non-zero amount of time verifying you are who you say you are. Such a non-zero amount of time costs money. Hence the certificate costs money. Whether it is priced right or not is driven only by demand and production. Deal with it, or make your own.

Re:Great idea

[Beryllium+Sphere(tm)]

And after you investigate and find a reliable plumber, you don't want to have an impostor show up with a big wrench and an invoice pad.

This isn't much of an issue in meatspace, but on the Internet the work you did to determine whether a business is acceptably safe is wasted if you end up at a typo squatter's site.

The value of a third-party certificate, limited by the relatively weak checking and the fact that virtually no customers understand it, is that although anyone could register bofa.com and be impossible to catch, if you see a cert then you can look at the DN and know where to send a process server if something goes wrong. In principle, certs from CAs provide the mapping from a public key to meatspace identity that allows you to transfer your offline knowledge to online transactions.

The other thing that limits the value is that CAs aren't offering nice fat sums of money to reimburse anyone who gets fooled by https://www.paipal.com./

This should all have been connected to trademarks in the first place. Trademark law has been sorting out impersonation and confusion for centuries. Certs should attest to a trademarked logo, CAs should check the trademark registry or other documentation.