Dan Langille wrote: > On 3 Jun 2005 at 10:20, Bill Strosberg wrote: > > >>Dan Langille wrote: >> >>>On 3 Jun 2005 at 9:27, Adrian Irving-Beer wrote: >>> >>> >>> >>>>On Thu, Jun 02, 2005 at 03:30:19PM -0400, Bill Strosberg wrote: >>>> >>>> >>>> >>>>>CA-issued certs & automatic browser inclusion of root certs always >>>>>have been a thorn in my side. Why should anyone trust someone else >>>>>because they paid a third party to say they are who they are? (even >>>>>if they lied). >>>> >>>>The original (primary) idea was that the cert companies verify who >>>>you are, sort of like PGP. >>>> >>>>The (secondary) idea was to prevent man-in-the-middle attacks by >>>>ensuring that the 'in the middle' guy has to a) at least expend more >>>>effort trying to get a similar certificate, and b) hopefully not >>>>succeed. >>>> >>>>Obviously, I have no idea if either of these are still being >>>>practiced by the companies in question. >>> >>> >>>So... about CACert.... >>> >>>What do you think about them? >> >>Companies like this ask you to install a chain-of-authority cert along >>with the cert they issue you - this establishes their path back to a >>trusted root cert when someone queries the webserver for the cert >>info. >> If you properly install the chain cert, users that connect your your >>webserver can SSL/TLS without those annoying "Warning!" messages >>slowing their surfing. >> >>CACert is no better or worse than anyone else in the business. My >>position is that the whole on-line trust model is broken. >>Profit!-motivated organizations have no place in a trustworthy system. >>Principles are always soluable in cash. > > > CACert is not a company. It's not involved in cash. There's no > profit. I don't see how your comments relate to my question. > Dan: <after 30 minutes drilling through CACert.org site for specifics> My position is that the on-line client-server trust model is broken - and anyone participating (CACert included) is part of a broken system. The mission, structure and governance of the organization issuing certs isn't relevent. In terms of relevance, CACert is trying to exist in a market dominated by profit driven organizations with a vested interest in preventing CACert from being excluded from browsers. I do not think that the current system will ever allow a free cert issuer to ever breach the established model. I would expect a Karl Rove-style media campaign from the Verisigns of the world on the degradation of e-commerce if a browser developer were to publicly contemplate inclusion of the CAcert root cert. Although CACert's efforts are worth supporting and potentially acceptable to you and I as a trust model, in reality they are probably not going to reach acceptance by the general population. CACert's verification process is probably worse than the commercial efforts of Entrust et al - they apply to people only, and corporate bodies are not verifiable. Basic verification consists of a "can you fog a mirror electronically" email ping. Assurance involved meeting another member and showing Government issued ID to gain trust points. The real need for PKI/trust electronically is for topically-uneducated users. Electronic commerce. Known company to unknown user transactions. The real people to real people nature of CACert doesn't address this need at all. That being said, I'll join because their concept takes the best part of the web-of-trust model and duct-tapes it to the existing monolithic trusted third-party model. Kind of Frankencertish. I'm going to google and research the Mozilla discussions regarding inclusion of CAcert's root cert in the browser. Should be interesting reading. -- Bill