You don't by any chance have connection problems to Microsoft ?
As Windows comes with only a few root certs by default, the rest is checked on first-contact by contacting Microsoft to see if they think it is a good CA.
Even if the user has no administrator rights, it will still install the CA-root certificate on the machine-account.
If you want to be on that default list, it will cost you a lot of time (and thus money) to get started.
It is not that you have to pay a lot of money to browser vendors, it is because every browser vendor has it's own set of rules, although many are discussed and 'standardised' through the CAB-forum.
Most of the money you need to pay is for the auditing by an organisation like WebTrust or PriceWaterhouseCoopers.
The audit looks at your processes and procedures. And checks all the paperwork and that you keep paperwork on the certificates (and types) you grant and revoke.
The audit checks if you pass all the requirements, after that you probably get on the list.
At least that is what I understand from it, after looking into the CACert project.
I hope they add a requirement that the CAs which allow for online automated requests need to have their technical infrastructure audited regularly too, with penetration testing and so on.
An man-in-the-middle attacker can just drop the packets to the OCSP (do browsers by default even download any CRL's anyway ? usually they are just to large like 700MB+) it will timeout and the browser by default will just continue.
Yes, that is why it is important that people still buy AMD.
Even if AMD have to work within the limits of their abilities, this forces them to be creative and makes sure Intel does not slow down their development as happends with any monopoly. But AMD isn't completely lost and thus even Intel can take their ideas and hopefully the customers win.
The current protocols, OCSP and CRL, don't even help to solve the CA-compromise problem.
They don't even work properly to revoke just one certificate.
There is a lot that needs to change and it needs to be backwardcompatible enough that a transition can be made.
Which doesn't make it an easy task.
But if you have a multi-CA system, you have to have a secure way to single the browser or other application how many that should be. How will you do that ?
What if you have a website with 4 CA's, would that be good enough ? What if you visit that site a day later and it only has 3 valid CA's. Would that still be enough ?
Because DNSSEC hasn't been widely deployed yet (think like IPv6) and because many believe DNSSEC is the same as the single CA-system but indirectly controlled by the US-gov (the DNS-root is handled by http://en.wikipedia.org/wiki/ICANN ).
1. Actually, revocation checking does not solve the problem, alteast if someone had the CA private key, they could generate the same ID's as other existing certificate. OSCP/revocation lists only checks id's not names, which makes it not useful for all possible problems.
2. I also think DNSSEC can be useful, it would be really helpful for the domain-owner to be able to make it clear that his website uses cert X and cert Y (which implies CA A and CA B). And not any other cert or CA. Deployment of DNSSEC is very slow though at the moment.
We need at least 2 things: - a fallback method that browser makers want to adopt where DNSSEC hasn't been deployed by the ISP or when you are stuck in a "hotel network" or your OS does not support and so on. Because the browser needs to get the keying material to be able to check the if the data is properly signed. It do not think it even matters where it got it from, any old fallback channel might probably do. For OSCP http is used, so maybe that is good enough here too ?
- much better industry support for automating the keyrollover communication with TLDs. If I get my domain at some provider and run my own DNS-server there is hardly any provider, if any, which support EPP or whatever to communicate my DS-record to the TLD. Many TLDs that have deployed some DNSSEC don't (yet) even support DNSSEC in their EPP from their direct customers/members.
3. Can you be a bit more specific about what you proposed in 1993 ?
Moxie meens dat with the current CA-system, you have several CA's. With DNSSEC you in a way have just one CA. So if one CA messes up, with the current system, you can remove that one CA. But with DNSSEC you can't remove that one CA, because it is the only one.
It is all more complicated ofcourse, but that is his message.
While I agree about DNSSEC as a possible solution. A lot of people probably don't agree. Because DNSSEC is to much like a single-CA-model. And many don't like it. I personally probably do trust the root to get it right, I just don't trust all the TLD's.
Also you mention 8.8.8.8 and 8.8.4.4 but they don't have support for some of the basis parts of DNSSEC yet.
Which means if I have a working DNSSEC-setup on my end that can verify the DNSSEC key material I can't use them to check what Google gives me.
Slashdot Mirror
You don't by any chance have connection problems to Microsoft ?
As Windows comes with only a few root certs by default, the rest is checked on first-contact by contacting Microsoft to see if they think it is a good CA.
Even if the user has no administrator rights, it will still install the CA-root certificate on the machine-account.
If you want to be on that default list, it will cost you a lot of time (and thus money) to get started.
It is not that you have to pay a lot of money to browser vendors, it is because every browser vendor has it's own set of rules, although many are discussed and 'standardised' through the CAB-forum.
Most of the money you need to pay is for the auditing by an organisation like WebTrust or PriceWaterhouseCoopers.
The audit looks at your processes and procedures. And checks all the paperwork and that you keep paperwork on the certificates (and types) you grant and revoke.
The audit checks if you pass all the requirements, after that you probably get on the list.
At least that is what I understand from it, after looking into the CACert project.
I hope they add a requirement that the CAs which allow for online automated requests need to have their technical infrastructure audited regularly too, with penetration testing and so on.
Highly profitable ? Hmm... well, there are also free certificates:
https://www.startssl.com/
Obviously you can pay for extra features, but it is still the cheapest choice for a lot of the extras.
And it was different hardware. The CPU and GPU are pretty much the only parts that are the same.
I still don't understand why they didn't run it on the same machine and not dual boot.
Just have a seperate HDD and swap that.
An man-in-the-middle attacker can just drop the packets to the OCSP (do browsers by default even download any CRL's anyway ? usually they are just to large like 700MB+) it will timeout and the browser by default will just continue.
Yes, that is why it is important that people still buy AMD.
Even if AMD have to work within the limits of their abilities, this forces them to be creative and makes sure Intel does not slow down their development as happends with any monopoly. But AMD isn't completely lost and thus even Intel can take their ideas and hopefully the customers win.
ZFS with L2ARC seems to do fine with that, haven't looked closely how it does it though. But I hear it does have some optimizations.
Yes, it has been done. Even in software, one of the best known is probably ZFS with L2ARC on Solaris and other systems, look it up.
Have a nice day.
The current protocols, OCSP and CRL, don't even help to solve the CA-compromise problem.
They don't even work properly to revoke just one certificate.
There is a lot that needs to change and it needs to be backwardcompatible enough that a transition can be made.
Which doesn't make it an easy task.
But if you have a multi-CA system, you have to have a secure way to single the browser or other application how many that should be. How will you do that ?
What if you have a website with 4 CA's, would that be good enough ? What if you visit that site a day later and it only has 3 valid CA's. Would that still be enough ?
Do we want to give more money to more CA's ?
Lots of questions.
Obviously he didn't know what it would be like when he would eventually get caught.
So he didn't trust the newspapers to release it when it happend.
Because DNSSEC hasn't been widely deployed yet (think like IPv6) and because many believe DNSSEC is the same as the single CA-system but indirectly controlled by the US-gov (the DNS-root is handled by http://en.wikipedia.org/wiki/ICANN ).
I trust self-signed certs less than the current CA.
Just create your own CA and import the self-signed CA-cert.
Have you tried the 'tinyca' application yet ?
It isn't perfect I'll admit that, but it is pretty easy.
That is not true.
As Firefox uses the existing Mozilla NSS-library, it uses the browser CA-list.
Same on Windows, btw.
That is not a coincidence, as that is the goal of the project.
It has analog TV-output and HDMI and HDMI can be converted.
1. Actually, revocation checking does not solve the problem, alteast if someone had the CA private key, they could generate the same ID's as other existing certificate. OSCP/revocation lists only checks id's not names, which makes it not useful for all possible problems.
2. I also think DNSSEC can be useful, it would be really helpful for the domain-owner to be able to make it clear that his website uses cert X and cert Y (which implies CA A and CA B). And not any other cert or CA. Deployment of DNSSEC is very slow though at the moment.
We need at least 2 things:
- a fallback method that browser makers want to adopt where DNSSEC hasn't been deployed by the ISP or when you are stuck in a "hotel network" or your OS does not support and so on. Because the browser needs to get the keying material to be able to check the if the data is properly signed. It do not think it even matters where it got it from, any old fallback channel might probably do. For OSCP http is used, so maybe that is good enough here too ?
- much better industry support for automating the keyrollover communication with TLDs. If I get my domain at some provider and run my own DNS-server there is hardly any provider, if any, which support EPP or whatever to communicate my DS-record to the TLD. Many TLDs that have deployed some DNSSEC don't (yet) even support DNSSEC in their EPP from their direct customers/members.
3. Can you be a bit more specific about what you proposed in 1993 ?
Moxie meens dat with the current CA-system, you have several CA's. With DNSSEC you in a way have just one CA. So if one CA messes up, with the current system, you can remove that one CA. But with DNSSEC you can't remove that one CA, because it is the only one.
It is all more complicated ofcourse, but that is his message.
While I agree about DNSSEC as a possible solution. A lot of people probably don't agree. Because DNSSEC is to much like a single-CA-model. And many don't like it. I personally probably do trust the root to get it right, I just don't trust all the TLD's.
Also you mention 8.8.8.8 and 8.8.4.4 but they don't have support for some of the basis parts of DNSSEC yet.
Which means if I have a working DNSSEC-setup on my end that can verify the DNSSEC key material I can't use them to check what Google gives me.
So it is currently useless.
There is a bugreport about that already: https://bugzilla.mozilla.org/show_bug.cgi?id=670622
One of the many people that don't know about the 'Add-on compatibility reported':
https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/
That makes this easier and a way to report any issues you may have to the developers of Firefox and the add-on.
Yes and on ARM-based devices.
I guess a screen, a case and some other peripherals will make it more expensive.
Maybe just a little lower than any ARM/BeagleBoard device.
For example this is US $200 and during this summer US $150:
https://www.alwaysinnovating.com/touchbook/ (detable keyboard/touchscreen/2 batteries)
(no this is not an ad, I don't even own such a device, just trying to make a point about the price)
But do you pay the same ISP a different price for the same service in different regions ?
Not to forget: latency
What about the time and RAM it needs for doing a fsck if this was one filesystem ?