Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is It Time For an Open Source Certificate Authority?

Posted by CmdrTaco on from the definitely-time-for-ice-cream dept.

cagnol writes "So far there are three free ways to get a free certificate to sign your email and receive encrypted communications: Thawte, Comodo and CAcert. Thawte's root certificate is in mainstream browsers. Thawte's interface is good and the web of trust allows for increased security by verifying people's identity. However Thawte is not open-source; worse: it is owned by VeriSign. Comodo's root certificate is in mainstream browsers too but there is no web of trust and their forms are not always working. CAcert is the closest to an open-source certificate authority but is not open-source and it seems that parts of the system are shaky. CAcert provides a web of trust. Unfortunately, CAcert's root certificate is not in mainstream browsers. Don't you think it is time for a true open-source certificate authority? Should this community be related to the Mozilla Foundation and comply, since day one, with the requirements to get a root certificate in Firefox?"

1 of 219 comments (clear)

  1. Re:Zimmerman has it right . by StormReaver · · Score: 0, Redundant
    "...there are presumably fewer security checks that the person requesting the certificate is who he says he is."

    When I setup my employer's online payment system, I went to VeriSign's site (which I opposed, but I was overruled) and signed up for a certificate. I got a call from VeriSign that went something like this:

    VeriSign: Are you the person who requested a certificate?
    Me: Yes.
    VeriSign: Send us the money and we'll email your certificate to you.

    The certificate arrived in unencrypted email! I kid you not.

    That was hardly inspiring security. Considering that anyone who was eaves dropping on our unencrypted email traffic could have intercepted our certificate at the source, identity verification via CA's is next to worthless. Certificate Authorities are just con artists preying on people's fears.

    The only thing a certificate is actually good for is to ensure that traffic between Point A and Point B is being encrypted sufficiently well to be meaningless to anyone who intercepts it. For that, a VeriSign certificate is no better than a self-signed certificate. I would prefer a self-signed certificate, because then at least it isn't susceptible to interception before implementation.