[OCLUG-Tech] Re: CACert - free digital certificates (Dan Langille
I had a quick look at the CAcert.org web site trying to determine the answer
to the key questions I usually have. The first question is how is CA's
private key protected. The other question is how is trust established with
the CA. A finally, how is a CSR authenticated before a certificate is
issued.
A CA as in most PKI systems is only as good as the protection placed on the
private key. If the private key is compromised then the trust is broken.
Most CA's are locked away and access is determined based on a set of
operating documents (CP, CPS, etc). I think the private key security could
be a little better.
During the SSL/TLS setup process, the browser has to determine whether to
trust the site or not. Usually the root CA's certificates are preloaded in
the browser, but the user can load them manually. The list of browsers is
small, but growing. If your user community uses one of the browsers then
you are OK. Otherwise the user gets a warning and may not accept the
certificate presented by your site.
The most important question in my opinion is how the CA validates a CSR as
coming from you. If this is not done properly then the CA may issue or even
re-issue certificates to someone masquerading as you. In my opinion, this
is not done at all. Looks like they will sign a certificate from anyone
regardless of the content.
I personally don't think I would use this service for an e-commerce site. If
you can live with the some of these limitations then this service is for
you. The price is right!
Hope this helps,
Bruce