Slashdot Mirror


Is It Time For an Open Source Certificate Authority?

cagnol writes "So far there are three free ways to get a free certificate to sign your email and receive encrypted communications: Thawte, Comodo and CAcert. Thawte's root certificate is in mainstream browsers. Thawte's interface is good and the web of trust allows for increased security by verifying people's identity. However Thawte is not open-source; worse: it is owned by VeriSign. Comodo's root certificate is in mainstream browsers too but there is no web of trust and their forms are not always working. CAcert is the closest to an open-source certificate authority but is not open-source and it seems that parts of the system are shaky. CAcert provides a web of trust. Unfortunately, CAcert's root certificate is not in mainstream browsers. Don't you think it is time for a true open-source certificate authority? Should this community be related to the Mozilla Foundation and comply, since day one, with the requirements to get a root certificate in Firefox?"

1 of 219 comments (clear)

  1. Re:Zimmerman has it right . by billcopc · · Score: 3, Interesting

    While that concept works great in other realms, the truth is Visa has no interest in reducing fraud. They profit from fraudulent transactions, and so do their customers. The ones who are hit hardest are the sellers, as not only do they have to pay ridiculous chargeback fees, they often lose the item they were selling.

    Let's say you buy something off the net, then call a month later and declare the transaction as fraudulent.... IMMEDIATELY they yank the cash out of the merchant's account, send you a cute little form you have to sign and fax back, and a week later they refund your money. You get to keep the item because you have the benefit of the doubt, or to be more precise: Visa and MC treat all merchants as guilty by default.

    One time I had a customer buy an item, a hard drive for example. Then once the card went through, he decided he wanted another one (twit). So I cut him a second invoice and charge the card again for the same amount. A month later I get a letter regarding the 2nd transaction being a "duplicate", that it had already been reversed and a hit filed on my record. It took another couple of weeks of me faxing serial numbers, signatures and ultimately sending video proof from my security cameras (with sound). I was just about ready to go reclaim the hard drive in person and rip the guy's head off. A month later a supposed review committee decided in my favor "in light of evidence provided".

    Now I was providing physical products with a clear evidence of the transaction. I can only imagine how horrible the problem is for mail-order and online transactions. How can a merchant prove they sold something if they've never met the customer ?

    --
    -Billco, Fnarg.com