Is It Time For an Open Source Certificate Authority?

cagnol writes "So far there are three free ways to get a free certificate to sign your email and receive encrypted communications: Thawte, Comodo and CAcert. Thawte's root certificate is in mainstream browsers. Thawte's interface is good and the web of trust allows for increased security by verifying people's identity. However Thawte is not open-source; worse: it is owned by VeriSign. Comodo's root certificate is in mainstream browsers too but there is no web of trust and their forms are not always working. CAcert is the closest to an open-source certificate authority but is not open-source and it seems that parts of the system are shaky. CAcert provides a web of trust. Unfortunately, CAcert's root certificate is not in mainstream browsers. Don't you think it is time for a true open-source certificate authority? Should this community be related to the Mozilla Foundation and comply, since day one, with the requirements to get a root certificate in Firefox?"

Re:Zimmerman has it right .

[tomz16]

Your scheme is brilliant because :
- Credit card companies have an infinite supply of employees and money to authorize me every time I need to use my card to buy a 99 cent pack of gum without subjecting me to a 20 minute wait time.
- I have an infinite supply of time to wait for said authorization.

In the past few months I have actually found that several retailers have RELAXED their signature requirements on credit card purchases. Many stores now no longer require a signature below a certain amount. (IIRC My local home depot is now $50). Incidentally, I am liable for the first $50 in unauthorized purchases... hmmm...

Re:Zimmerman has it right .

[bahwi]

They seem to have infinite employees calling me to add new services to my card that are expensive, overpriced, difficult to cancel "protections" that I'm ultimately ineligible for.

"You really should have it and be paying for it now in case you ever become eligible for the benefits and then lose your job!" WTF? (by ineligible I mean I'm self employed so not eligible at all under most of their crap).

Re:Zimmerman has it right .

[leonmergen]

Let's say that Visa launched a new line of credit cards, call it 'Visa Net Secure' or something: they could provide a web-interface for allowing or declining transactions, in which detailed information about the transaction (and more importantly, the company conducting the transaction) is available. You can set certain companies to 'trusted', whose transactions are automatically accepted. And to fix your 99 cent problem, you can just as well use that 'accept transactions below a certain threshold' idea there too.

Heck, they could even make it so that you receive an email every time a transaction to your card occurs, so you don't have to proactively check for transactions. If only such a card existed.. :-)

.. oh yeah, they should make their interface web-2.0 compliant too with rss feeds and funky javascript.

Re:Zimmerman has it right .

[tomz16]

So let me get this straight. I go through the checkout line, I swipe my card, sign the authorization slip, and then whip out my internet connected PDA / cell phone / laptop to authorize the transaction before the merchant gets their payment confirmation and I can walk out of the store.

Brilliant... except for all of the obvious flaws...

Citibank can already send me daily alerts on my current account balance. Anything more is superfluous as my liability is only limited to $50 of unauthorized purchases made on my credit card. Chances are that limit will be reached the FIRST time some miscreant uses my card.

I think the current system works very well. But if you want a simple, quick, low-tech method for accomplishing much more for much less... REQUIRE a picture on every single credit card (POS transactions), and be strict about the requirement on merchants to ship ONLY to addresses on file (online/telephone transactions).