Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security The Internet

Free Certificate Authority Unveiled by Aussies 284

SonOfGates writes "Well, the Aussies have invaded Boston but at least they're not throwing tea into the harbor. AU-based nonprofit CAcert Inc has spent the last few days at USENIX '04 registering new users by the truckload. They bill themselves as a 'Community-Based CA.' Could this be the begining of a true 'open' certificate authority? See the O'Reilly story and press release."
This discussion has been archived. No new comments can be posted.

Free Certificate Authority Unveiled by Aussies

Comments Filter:
  • who else remmbers (Score:5, Insightful)

    by ErichTheWebGuy ( 745925 ) on Thursday July 01, 2004 @11:27PM (#9589297) Homepage
    when Microsoft released that update for IE that included lots of new CAs? Anyone think this one will be included in the next one? My guess is no, judging from Microsoft's general resistance to anything open.

    But, we might be surprised. Opinions anyone?

    ps. Maybe they should patch the browser first ;)
    • Yea, I remember it... But, if you use anything mozilla like you can import the CA cert of any certificate authority you'd like. I am not sure how you do this with IE (since I wiped that right the hell off my boxes, my windows boxes don't even use it).

      Not as big an impact as you think..

      -Mind
      • Re:who else remmbers (Score:5, Informative)

        by ErichTheWebGuy ( 745925 ) on Thursday July 01, 2004 @11:34PM (#9589337) Homepage
        Yea, you can do it in IE too. The problem is that end-users do not know how to, and the whole concept is completely foreign to them.

        Sad as it may be, IE is still used by something like 85% of the world.

    • by 0racle ( 667029 ) on Thursday July 01, 2004 @11:31PM (#9589320)
      Microsoft has no resistance to *everything* open, despite what you read on Slashdot.
      • Microsoft has no resistance to *everything* open

        That's not what I meant, my bad for being unclear. I was getting at their general tendancy to shy away from things that are open, not proprietary. I know they are not opposed to everything open, just look at their recent open-sourcing of some of their code.
      • I'm curious (not trolling, despite my sig), could you name something that Microsoft has that's open, that they weren't forced to use in order to compete (e.g. "shared source")? I'm trying, but I can't think of any myself.
        • MS has absolutely no opposition to open wallets.
        • Re:who else remmbers (Score:5, Informative)

          by 0racle ( 667029 ) on Friday July 02, 2004 @01:42AM (#9589865)
          Services for Unix is widely known to use BSD licensed code and utilities from the OpenBSD project. The TCP/IP stack in early NT products was BSD code, and its possible some of the utilities, the ftp client for example, is still BSD code.

          Microsoft doesn't like the GPL, but the GPL is not the be all and the end all of Free Software. Microsoft has no problems with other open licenses.
    • by stray ( 73778 ) on Friday July 02, 2004 @05:52AM (#9590531) Homepage
      In the June edition of ;login: (the Usenix Association [usenix.org]'s magazine), there is an article by Adam Butler (of CAcert) describing the project and shedding some light on the process of getting a CA root certificate included into various browsers:

      Quote from the article:

      "In true Microsoft style, Redmond adopted a new metric for determining whether a CA's root certificate is to be included with its browser/OS/kitchen-sink product: In order for a CA's root certificate to be accepted - I swear I'm not making this up - Redmond said CA must pay a WebTrust-licensed member of the American Institute of Certified Public Accountants up to $250,000 for an initial evaluation/inspection, plus additional tens of thousands of dollars in fees on a periodic "follow-up" basis.

      The makers of the Opera Web browser did not respond to email queries regarding their inclusion policies/requirements; however, a Bermuda-based CA representative stated in the netscape.public.mozilla.crypto newsgroup that "as of [his] last contact in 2003, Opera wanted cash to add a CA [root certificate]. They did not appear to have a standards policy.".


      He goes on to describe the process of getting the root cert, hopefully, included into the Mozilla project through a Bugzilla feature enhancement request. From what I read from the article, the discussion about this is still going on.

    • by VivianC ( 206472 ) <internet_update@@@yahoo...com> on Friday July 02, 2004 @09:53AM (#9591914) Homepage Journal
      ...judging from Microsoft's general resistance to anything open.

      You are obviously one of those /. anti-Microsoft trolls. How could you accuse them of being against anything open? Outlook and IE are two of the most "open" programs I've ever seen. And don't even get me started on how "open" Windows is in general when you stick it on a broadband connection without a firewall. That was four hours of cleaning at my cousin's house last weekend.
  • by Anonymous Coward on Thursday July 01, 2004 @11:28PM (#9589305)
    I'm sure Mozilla/Opera might, but what about Microsoft? If Internet Explorer doesn't support it's unfortunately not very useful.
    • by dj42 ( 765300 ) on Thursday July 01, 2004 @11:38PM (#9589363) Journal
      I think the key to disrupting IE is by creating things it doesn't or won't support. It can't be done quickly, I don't think, but slowly, as the browsers merge in their usefull and techs that disdain MS help ignorant users to install and use them, MS can be made an equal player. Instead of a dominate force that will eventually control the US Media by holding the power of the infrastructure.
    • by njdj ( 458173 ) on Friday July 02, 2004 @02:54AM (#9590057)
      If Internet Explorer doesn't support it's unfortunately not very useful.

      Translation: You still use Microsoft Internet Explorer.

      People who use MSIE obviously are not concerned about privacy or security, so CAs are irrelevant to them.

      Consequently, people who still use MSIE are irrelevant to those of us who are concerned about privacy and security. People who are concerned about privacy and security are a small minority of Internet users. That doesn't mean we shouldn't try to get the privacy and security we want.

  • Sounds like... (Score:4, Interesting)

    by kai5263499 ( 751741 ) * <kai@@@werxltd...com> on Thursday July 01, 2004 @11:29PM (#9589308) Homepage
    The mythical "web of trust" we were supposed to have in Verisign/Thawte/etc... is finally comming true in a NON-PROFIT entity.

    Too bad this cert isn't defaultly trusted by IE/FireFox.

    Interesting side note: when I recieved the registration email from them, Outlook 2003 (yeah, I know...) marked it as "junk mail".
  • Good for them (Score:5, Informative)

    by A. Pizmo Clam ( 779689 ) <{moc.oohay} {ta} {malc_omsipa}> on Thursday July 01, 2004 @11:30PM (#9589312) Homepage
    Many ISP's and low-budget group have self-signed certs. They're easy to make. Hopefully this project will make it easier. I have quite often seen sites with a self-signed cert and another page giving the fingerprint of the cert. Most vendors allow these, but they aren't "trusted".

    The only reason the big companies charge so much (their claim, not mine) is the insurance they provide, and the fact that they are "trusted" by the various vendors.

    Any new group wanting to be a trusted CA will face the liability issue -- if one of your customers sues you, even if you try to disclaim all liability up front, you will still face massive court fees. Even if you won in court, you would lose financially if not insured.

    There is no technical or logistical problem with setting up a Free (and free) common-geek's CA, the problems are entirely legal ones. I know because I looked into it right after SSL came out. It looks like a good business plan, right up until someone takes you to court.
    • Re:Good for them (Score:3, Interesting)

      by RAMMS+EIN ( 578166 )
      ``Even if you won in court, you would lose financially if not insured.''

      Unless you win the case, and the losing party pays for your court fees. This is common in countries employing civil law [wikipedia.org], as opposed to (mostly) former members of the Commonwealth that employ common law [wikipedia.org].

      Australia might not have been the best place to found this organization.
      • If you, as a small corporation, non-profit or individual, go up in court against a large corporation or an ambulance-chasing shark, your chances or losing are better than not. Loser-pays systems therefore discourage discourage lawsuits by the little guy against the big guy, and make the little guy more likely to throw up his hands and settle when sued by the big guy.

        Although they certainly do make for litigation-happiness, overall the non-loser-pays system is healthier for democratic participation in the
        • Re:Good for them (Score:3, Insightful)

          by mrchaotica ( 681592 )
          The problem with non-loser-pays is that small organizations/individuals can't afford to fight at all, even with a rock-solid case, because they'll run out of money before it's over.
        • Re:Good for them (Score:3, Interesting)

          by joggle ( 594025 )
          Although they certainly do make for litigation-happiness, overall the non-loser-pays system is healthier for democratic participation in the legal system.

          Very good point. It's a shame the same doesn't apply in criminal court. The accused (almost always a little guy) can be charged with virtually anything by the prosecution (ie, high potential cost), being coerced into accepting a plea-bargain for probation 90% of the time regardless of guilt (at least here in the US). So when it really counts litigation-ha

        • Re:Good for them (Score:3, Interesting)

          by RAMMS+EIN ( 578166 )
          I see it rather the other way around.

          In a system where everyone pays their own legal fees, smaller parties are more likely to avoid lawsuits against bigger parties, because chances are the bigger party will continue the suit until the smaller one goes bankrupt.

          I observe this in the Real World, too. Many important court cases in the USA seem to get settled, even though in Europe, the smaller party would probably have continued and won. This fits my expectations. That said, I have not done any solid researc
          • Re:Good for them (Score:2, Interesting)

            In a system where everyone pays their own legal fees, smaller parties are more likely to avoid lawsuits against bigger parties, because chances are the bigger party will continue the suit until the smaller one goes bankrupt.

            You're assuming an open-and-shut case. For open-and-shut cases, this is probably true. But most cases are not open-and-shut. Loser-pays tends to discourage lawsuits whose favorable outcomes are not assured - i.e. most of them. Which I'll grant you includes most frivolous lawsuits
        • Re:Good for them (Score:3, Interesting)

          by julesh ( 229690 )
          If you, as a small corporation, non-profit or individual, go up in court against a large corporation or an ambulance-chasing shark, your chances or losing are better than not.

          That's not the way it works in the UK. As a director of a small company that has taken a few larger businesses to court, I can tell you that most of the time, the smaller business wins. That's because most of the time, the smaller business is _right_, and that's what the court is interested in.

          I'm convinced that the UK civil court
  • great news! (Score:2, Informative)

    There is no reason to pay for certificates - initially the issue was about trust. The infrstructure to set up a cert authority is not complicated, as mentioned...you just need people to trust the certificates that you issue. God (and slashdotters) know the kind of crap that VeriSign has pulled before [google.com]. It's good to see alternatives.
  • by Anonymous Coward on Thursday July 01, 2004 @11:31PM (#9589321)
    While I normally think the government should keep its nose out of most places, I think this is one place where the goverment could actually do some good. Just like many states and goverments proved offically accepted picture IDs to individuals, I think they could easily set up a service to provide offical digital IDs to all the citizens. Companies like Verisign may still have a role in providing corporate certs, etc, but I think the goverment is the best way to provide a universally recoginized digital ID to everyone.
    • Alternatively... (Score:5, Informative)

      by temojen ( 678985 ) on Friday July 02, 2004 @12:32AM (#9589607) Journal

      Here's a summary of a proposal I wrote for canadian provinces...

      The Governor General's office acts as the root CA for Government Ministries & Crown Corporations and Professional Associations.

      Any professional association (Bar Association, College of Physicians & Surgeons, Engineers, etc) acts as a CA for it's members and corporations working in their field (Law firms (lawyers, paralegals, legal secretaries), Medical Clinics (Doctors, Nurses, X-Ray Techs, Appointment Clerks), etc)

      Certified Accountants act as a CA for Corporations, Societies, Partnerships, etc.

      The Notaries public act as a CA for individuals.

    • Denmark has this... (Score:5, Informative)

      by Jezral ( 449476 ) <mail@tinodidriksen.com> on Friday July 02, 2004 @12:44AM (#9589656) Homepage
      Denmark has free digital signatures for all citizen, for use in email, to sign in on sites, etc...

      URLs:
      - http://www.digitalsignatur.dk/ [digitalsignatur.dk]
      - http://privat.tdc.dk/digital/ [privat.tdc.dk]
      (both in Danish, though...)

      The technicalities are run by the largest phone company/ISP, TDC, but otherwise it's fully a government thing.
    • I think this is one place where the goverment could actually do some good.(...) offically accepted picture IDs to individuals

      There are two problems with this. As another message pointed out, not all governments are equally trustworthy. Would you trust an ID issued by Nigeria? Or would you wonder how easy it is to bribe a Nigerian official to issue one in any name you wanted?

      Now look at it from the viewpoint of a Nigerian citizen. How can he/she get acceptable ID? Clearly, not from the government.

      The seco

    • by Cerebus ( 10185 ) on Friday July 02, 2004 @06:17AM (#9590593) Homepage
      There are privacy problems inherent in X.509 that should make you nervous. There is no way to do an anonymous transaction (say, via cash) secured with an X.509 certificate because your *name*, not the key, is the important part of X.509. That means you must always reveal your name.

      In addition, an X.509 certificate can bind any number of attributes to that name, and it's up to the CA-- not you-- to decide what those are. Once they're in the certificate, *you cannot decide not to provide them*. Kinda takes away your control over your private information.

      Look up the work of Carl Ellison & Ron Rivest and others on X.509 and privacy, particularly in contrast to how SPKI handles things.
      • by cubic6 ( 650758 ) <tom@losth a l o . o rg> on Friday July 02, 2004 @02:29PM (#9594870) Homepage
        The whole point of X.509 certificates is that your name is attached. It's meant for verification of identity, not anonymous transactions. If you took away the name component, there would be no security because the other party has no guarentee that you are who you say you are. It'd be like having a driver's license with no name or picture, just a little notice saying that "someone" is licensed to drive. If you need some secure way of making anonymous transactions, I'd imagine a one-way auth system like SSL would work better.
  • by mabu ( 178417 ) on Thursday July 01, 2004 @11:32PM (#9589322)
    The whole notion that a Cert authority is needed is essentially bogus in my opinion. We've been rolling our own certs for years for all but the main e-commerce web servers. Who wants to pay the outrageous extortion fees Verisign/Thawte charge and jump through the goofy hoops? I bite my lip and do this every two years for the main web server just so my clients don't totally (unnecessarily) freak out at the prospect of a dialogue box popping up in SSL mode warning them that Microsoft's "paranoia-protection-money" wasn't paid-off.

    The Cert authorities are a joke. We registered one CA with Verisign with virtually no documentation, and another time, when renewing an existing, different cert, they demanded everything short of a blood test for "authentication." It's nothing short of criminal considering they charge $200+ for something that takes 10ms to generate that they make people wait weeks for, and in no way guarantees superior security, and they'll make certs for anyone with money so the identity checking is BS and moot.

    I'm all for a free certifying agency, but you can also roll-your-own with OpenSSL.
    • by justMichael ( 606509 ) on Thursday July 01, 2004 @11:47PM (#9589413) Homepage
      While I agree with you completely. It all depends on what you are using it for.

      The problem with rolling your own is when a browser hits it, it burps up an error saying it can't verify the validity of the cert. Depending on what you are using the cert for, who cares.

      I have my webmail server forced through https with a self signed cert. If someone that uses my webmail server doesn't like it it's no skin off my butt (I provide free mail to a few friends).

      For any business sites that I setup I suggest InstantSSL [instatntssl.com], they are cheap, fast and trusted by pretty much any browser around. And that is the important part when selling to the public, that they don't get some warning. Most of them will never even look to see if the page is encrypted but if they get some funky warning odds are they will leave.
      • I agree with you.

        This is why I pay the "mafia" their protection money for our main e-commerce web servers. Most consumers just see the dialogue box and conjure up images of their credit card numbers showing up on billboards.

        But we all know why we pay this fee: not to really provide more security or privacy for transactions; to merely keep that paranoia-inducing dialog box from appearing. And it's necessary for e-commerce web sites because most users don't know any better.

        But for non-public sites, like
      • Unless I grossly misunderstand how SSL certs work, using a self-signed cert means that anybody in the position to do so can perform a man-in-the-middle attack by spoofing DNS replies and pretending to be your site. Since your cert is self-signed, there's no way for a random third party to tell the difference between your site and a spoof. Getting your cert signed by an authority doesn't just make the annoying dialog go away, it adds to your site's security.
        • It all depends on how you deal with it.

          On my OS X install, I installed the cert so if someone tries a man-in-the-middle I'll know as the cert isn't going to match the one on my box.

          I don't know how the browsers handle it but i can tell Mozilla (all variants I use) to allow the cert. The part I don't know is, do they cache a hash or the fingerprint or just ignore cert warnings for the domain.

          I also provide the cert to anybody that needs it and wants to install it.
      • You should check out FreeSSL.com [freessl.com] instead. It's cheaper than InstantSSL, and works on even more browsers. No, it's not "free" (despite the name), but it is cheap.
        • Did I miss something?

          InstantSSL 1 yr $49
          FreeSSL 1 yr $99

          They claim 96% compatibility, InstantSSL claims 99.3% (love those numbers, WTF)

          They do mention the "hassles" of chained certs. I know it was a huge pain to drop one more file on my box, but I don't see it being worth $50 ;)

          If I did miss something, I apologize. Let me know I'll be checking them out again in the morning.
      • Might want to update that potentially useful link to take the typo out of the URL: InstantSSL [instantssl.com].
  • by kai5263499 ( 751741 ) * <kai@@@werxltd...com> on Thursday July 01, 2004 @11:33PM (#9589328) Homepage
    Note: If you plan to use these certificates with Internet Explorer, Outlook, or Outlook Express then generate the certificate from within Internet Explorer. They can't be sucessfully imported into Internet Explorer. Believe us, we've tried...
    • How? Really... I need to know (for IE) & can't figure it out, short of having the sers install a binary of OpenSSL.
  • Maybe. (Score:3, Insightful)

    by Saeger ( 456549 ) <(farrellj) (at) (gmail.com)> on Thursday July 01, 2004 @11:36PM (#9589348) Homepage
    Could this be the begining of a true 'open' certificate authority?

    Stumbling blocks would be that Verisign would still be the expensive 'gold standard' for quite a while because its always been compatible from the earlydays in the most number of browsers, and another would be getting enough funding to pay for the identity check and other redtape that it takes to really be a 'trusted' cert authority.

    I wonder what the cheaper CA's like thawte and geotrust think...

    --

    • Re:Maybe. (Score:3, Informative)

      by mabu ( 178417 )
      Stumbling blocks would be that Verisign would still be the expensive 'gold standard' for quite a while because its always been compatible from the earlydays in the most number of browsers,

      Let's qualify this for people who may not understand.

      This new certifying authority will be just as compatible as any other cert. It will still offer as much encryption protection as any cert provided by any authority.

      The difference is that the browser may not be "pre programmed" to recognize the authority, and will th
      • You miss an important point. I am running a NoCat authentication gateway which captures all inbound http trafic and directs it to a SSL login page. Lets say that I signed my own cert Snake Oil LTD so when a user tries to log on for the first time they have to accept my cert. They have the option of accepting it for this session only and so they do. The next time they try to log in, someone has set up a rouge AP and dirrects them to a login page just like mine. If they also signed their cert with Snake
        • You miss an important point. I am running a NoCat authentication gateway which captures all inbound http trafic and directs it to a SSL login page. Lets say that I signed my own cert Snake Oil LTD so when a user tries to log on for the first time they have to accept my cert. They have the option of accepting it for this session only and so they do. The next time they try to log in, someone has set up a rouge AP and dirrects them to a login page just like mine. If they also signed their cert with Snake Oil L
    • Re:Maybe. (Score:5, Informative)

      by nachoboy ( 107025 ) on Thursday July 01, 2004 @11:55PM (#9589454)
      Verisign acquired Thawte [cnn.com] in late 1999. Though they acknowledge the fact [thawte.com] on their corporate website, they don't exactly make it obvious they no longer compete with Verisign.
      • Yea, I'm aware of this. It's pretty insideous that the top two Certifying authories are basically the same company, pretending to be separate so that people think they have a choice among #1 and #2.

        If you want to have fun, contact one and rant and rave about the other. For example, contact Thawte and tell them you're sick of Verisign and want to switch to them. They'll play along and never tell you they're owned by the same company!
  • by Bodhammer ( 559311 ) on Thursday July 01, 2004 @11:36PM (#9589350)
    Somehow I don't feel all that secure when the site went down in 3 minutes...
  • Finally! :-) (Score:3, Insightful)

    by hackel ( 10452 ) on Thursday July 01, 2004 @11:42PM (#9589385) Journal
    This is one of those things we all say to ourselves "they should do this," yet it never happens. I'm really glad to see this. I can't wait until I can start recommending clients to them and supporting them with large (yet still much cheaper than Verisign/Thawte!) donations. :)
  • by NigritudeUltramarine ( 778354 ) on Thursday July 01, 2004 @11:47PM (#9589412)
    Does anyone else find it somewhat offputting that they include links to both validate their XHTML [w3.org] and validate their CSS [w3.org] on the bottom of their homepage, yet both return a number of errors stating that their page is neither valid XHTML nor uses valid CSS?

    Even more oddly, for a brief instant when I went to their homepage, I got a default Apache index listing, rather than their homepage. It included links to things such as their PHP MyAdmin directory [cacert.org], a number of PHP files, and three zipfiles named Bruce-someversionnumbers.zip.
  • Well it appears that they've just left a single static page up and taken down their php, giving a 404
  • by t0qer ( 230538 ) on Thursday July 01, 2004 @11:54PM (#9589445) Homepage Journal
    I don't see what everyone is crying about certs costing money for. Seeing as how i've setup online shops for several people using certs, I think for what they do, the cost is justified.

    Not just anyone can get a CA cert. You have to be a business, I know verisign wants a copy of your business license, ect before they even issue you a cert.

    Now we got this "open CA". Who is going to check if these are legitimate businesses? Will there be any checks done at all, or will it just be "by the truckload" as the headline said?

    I'm all for saving a buck as much as the next guy, but when I shop online, knowing that the cert came from a trusted source that actually checks if it's issuing a cert to a legitimate business like verisign or thawte puts my mind, as well as the minds of a lot of others.
    • You do understand that certs are for far more than online shopping, right? Verified email, for example.
    • by mabu ( 178417 ) on Friday July 02, 2004 @12:03AM (#9589493)
      Not just anyone can get a CA cert. You have to be a business, I know verisign wants a copy of your business license, ect before they even issue you a cert.

      It's not a big deal. It doesn't mean anything. It doesn't offer more security ultimately.

      The majority of e-commerce sites on the Internet are NOT operating under their own certs. Many sites that offer hosted shopping carts use a central SSL server operating under an umbrella cert. Nobody really seems to have noticed, so what Verisign/Thawte are selling is not something consumers really seem to care about.
      • hmmm depends. personally i usually wouldn't be handing my cc number to a company that won't pay for it's own cert and is using a shared hosting one, unless i already knew they were ok beforehand.
        • by mabu ( 178417 ) on Friday July 02, 2004 @12:24AM (#9589575)
          hmmm depends. personally i usually wouldn't be handing my cc number to a company that won't pay for it's own cert and is using a shared hosting one, unless i already knew they were ok beforehand.

          First and foremost, the Fair Credit Billing Act of 1976 protects consumers against most credit card fraud, so the whole notion of fraud being a major issue is essentially blown out of preportion. If someone charges something to your credit card, you charge it back and the burden is on the merchant to prove the legitimacy of the transaction or they lose, so there's never been much of a threat for consumers anyway.

          Second, the way things have been going, customers are likely to get better products and services from smaller companies, many of whom may not be that technically inclined but instead tend to spend their energy on providing their core products and services and not running their own web servers.

          Our ISP handles more than US$5M/month in online transactions for many companies much larger than ourselves, and we operate most sites under our umbrella SSL Cert. Never had any complaints.

          The issue is not unlike Paypal. People accept Paypal on their web sites. When you go to complete the transaction, you're switched to Paypal's servers - there's no easy way around that. Consumers are used to this and companies like mine go out of our way to establish our reputation as a trusted provider of solid, secure e-commerce. Clients that use our services benefit from our reputation and performance. Everything works fine.
    • When you need to verify the absolute identity of someone you're dealing with, these companies, with their background checks (which aren't strong by any stretch of the imagination), certs by Verisign/etc may make sense.

      However, the most common usage of SSL cert's is simply to enable encryption between two points. For this, there's nothing wrong with even a home-brew cert - validation of the cert via it matching the domain should be sufficient. A SSL cert generated by a 3rd party adds absolutely nothing to
      • by Leebert ( 1694 ) on Friday July 02, 2004 @12:10AM (#9589532)
        However, the most common usage of SSL cert's is simply to enable encryption between two points. For this, there's nothing wrong with even a home-brew cert - validation of the cert via it matching the domain should be sufficient. A SSL cert generated by a 3rd party adds absolutely nothing to security, and it shouldn't do anything to reassure the customer/client that they're dealing with a legitimate operation.

        It prevents man-in-the-middle attacks. That's the most important reason for me to use a trusted CA.
        • It prevents man-in-the-middle attacks. That's the most important reason for me to use a trusted CA.

          A self-signed cert can prevent man-in-the-middle attacks if you have a copy of the cert downloaded.

          Most CAs these days only verify that an e-mail they send to the domain in question is received by the applicant, the same as this lot. I got one from Equifax on this basis, and they're trusted by default in both IE and Mozilla.
    • I willing to reckon these companies make very few checks, and they still pocket the money and still cough up a cert even if they fail. They're for-profit companies. It's not in their interest to turn applicants away, as it hits their bottom line.

      As for Verisign, remember when they'd just hand over any domain with one simple fax? [theregister.co.uk]
  • Question (Score:2, Interesting)

    by mzkhadir ( 693946 )
    So, you install the master cert from their website and visit an anonymous website, when the anonymous website pops up a cert. Will it display on my screen to install or will it be automatically installed because I have installed and trusted the master/root cert.
    • Re:Question (Score:3, Informative)

      There is no installation for the other certs... Once the master is trusted, then as long as there is a chain of trust down to the "anonymous website". The website provides the certificate to the browser, the browser checks the issuer, and as long as the issuer is trusted, the browser accepts the certificate. No display to screen, no installation, nothing...
  • So what? (Score:2, Interesting)

    by Anonymous Coward
    So you can get a free cert. I can generate my own damned certs already. However, if I have a cert that I've paid for, then usually people will trust that, because the cert authority has taken steps to verify that I am who I say I am.

    It's that last thing that makes certs valuable, not the cert itself. A free cert is free because not many people are going to trust it, and with good cause.
  • by BrynM ( 217883 ) * on Friday July 02, 2004 @12:08AM (#9589521) Homepage Journal
    I think the government should sponsor a CA. Sure, their databases are screwy every so often and are the very model of bureaucracy. They are also one of the most "trusted" authorities to most of the neophite users a warning would scare. Besides, they couple probably keep up with Verisign's often weeks long turn around on certificates pretty well. There's some economy and small business stimulation! Unfortunately, maybe some fraud too, but it may also lead to hucksters getting stiffer punishments and/or penalties.
  • by econfuzed ( 763245 ) on Friday July 02, 2004 @01:03AM (#9589723)
    Just a question, how much this is different than www.wildid.com
    • It seems wildid issues only S/MIME e-mail certificates. This company also offers SSL (https) secure server certificates, which is much more useful. They also seem to be significantly better at what they do. I wouldn't trust a certificate issuer who has an expired certificate on their own secure server. What's their excuse for having an expired self-signed cert???
  • by humankind ( 704050 ) on Friday July 02, 2004 @01:43AM (#9589866) Journal
    My question is, since (currently) IE is the dominant browser, the value of this service is going to depend upon whether or not this new CA can be designated as "trusted" by Microsoft.

    We know this ultimately comes down to how much Microsoft would charge for this certification. Does anyone have any idea what the costs are? I imagine it would be some sort of subscription arrangement where you have to pay in perpetuity to Microsoft in order to not have your trusted status revoked. But how much? And would Microsoft let an open CA even exist in the first place?
  • by mister_tim ( 653773 ) on Friday July 02, 2004 @01:44AM (#9589873)
    This coming from an Australian company? Hardly suprising: us Aussies are always happy to get something for nothing. Getting away with it is always a boasting point and something akin to a national sport/pastime.
  • by Animats ( 122034 ) on Friday July 02, 2004 @02:00AM (#9589925) Homepage
    Most certificates certify nothing. The issuer guarantees nothing, and the "relying party agreement", if you can find it, promises very little, if anything.

    For example, see the TrueSite Relying Party Agreement. [geotrust.com] "The Service is provided on an as-is basis without warranties of any kind".

    Even Verisign's Relying Party Agreement [verisign.com], while it does offer some warranties, has a complicated scheme for weaseling out of Verisign's obligation to verify the certificate holder's identity. The relying party agreement refers you to the CPS Section 11 [verisign.com], says "Issuing authorities (and VeriSign, to the extent specified in the referenced CPS sections) warrant and promise to ... perform the application validation procedures for the indicated class of certificate as set forth in CPS Section 5, Validation of Certificate Applications [verisign.com]." There, Verisign says "The IA shall confirm that ... the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI). [verisign.com]" The linked definition of "nonverified subscriber information" is "Information supplied to a certification authority as part of a certificate application". So Verisign doesn't actually stand behind any of the information in their certificates.

    This is much weaker than a signature guarantee by a commercial bank, where the bank guarantees to other parties that the person was properly identified. But it costs more.

    I'd like to see banks belonging to Visa International and MasterCard issue digital certificates, and require that their certificates had to be on a page that accepted their credit cards. Certificates from banks would actually be worth something.

  • by JWSmythe ( 446288 ) <jwsmythe@noSPam.jwsmythe.com> on Friday July 02, 2004 @02:35AM (#9590008) Homepage Journal

    I don't see the big difference between a self-signed cert and a CAcert. It's going to be virtually impossible for web sites to get their users to install their root certificate. Users are stupid. Generally, I don't expect they can click a link, much less add a cert.

    I've been looking into using SSL on http://freeinternetpress.com . We're not a registerd company, nor do we turn a profit, so it would be an extra cost and hassle to get a real certificate. For us, the only reason to do it is to make some of our users happy by letting them browse by https.

    A self-signed cert isn't any sort of magic, the instructions are in the OpenSSL documentation. I made it a step easier for people we worth with, I have a web page that they submit their information to, and it generates everything including the self-signed cert. There's no real magic to it, anyone (err, anyone with a clue) should be able to write the same thing in about 10 minutes. I spent an extra 10 minutes making it pretty.

    People I deal with never use the self-signed cert. They just take the CSR and get the cert signed by a regular signing authority. What's the big difference if I sign it, or if I call myself "Joe's cert company" and start automatically signing certs? It's not much different than what CAcert is doing, other than the fact that they have a donation button on their page. At least with the people I make CSR's and self-signed certs for, I know who they are, and that I'm not accidently signing a fake microsoft.com cert.
  • by njdj ( 458173 ) on Friday July 02, 2004 @03:32AM (#9590152)
    When I saw this news, my reaction was that it's great and I want to support it. Verisign et al have been too greedy for too long.

    But we have to be careful that we don't let our "wish to believe" blind us to the need for some caution here. Take at look at CACert's site. You'll find carelessness, spelling mistakes, pieces that have not been thought out. Running a CA properly requires meticulous attention to detail, and their site shows the opposite. On the very first page when you sign up, it asks for your name, date of birth, and "country". Is that country of citizenship, or country of residence?

    Then there's the reliance on "government ID". If somebody presents Nigerian ID, or Dominican Republic ID, what exactly is that worth? It's not worth anything, you can bribe officials in those countries (and many others) to issue whatever official document you want. Does that mean that citizens of Nigeria can never be trusted? That's well over 100 million people in just that one country, most of whom are honest and trustworthy. It's ridiculous to exclude so many people from receiving certificates just because their bureaucrats are corrupt, and it's completely contrary to the transnational spirit of the Internet.

    In conclusion, the idea behind CACert is a good one, but the people running it don't seem to be doing a good job. I hope that somebody else takes up the idea and does it better. There is no reason why there should not be more than one volunteer-based CA.


    • Take at look at CACert's site. You'll find carelessness, spelling mistakes, pieces that have not been thought out.

      Yah, it's not a very professional looking site. That's just how it works when you have a limited budget. I think your expectations and standards are a bit to high for an organization that just started. If they still have the same problems in 6 months, I'd be a little worried.

      It's ridiculous to exclude so many people from receiving certificates just because their bureaucrats are corrupt,
  • by Cerebus ( 10185 ) on Friday July 02, 2004 @06:11AM (#9590578) Homepage
    X.509 binds names to keys; it's the name that matters in an X.509 system. But because there aren't enough bits in the human-language name to uniquely identify every entity of interest in the network, X.509 is based on X.500 naming, which mates the human-language name (common name, or CN) with that name's position in the global directory. Together they form the distinguished name, or DN.

    X.500 naming, however, presumes a single, global namespace. The X.500 directory was intended to be a single directory for the entire planet providing unique, inescapable names for everyone.

    Yeah, right. Like that's going to happen.

    As a result, X.509 is carved into literally hundreds of local namespaces. But since we're stuck with the *name* as the principal, we have to use that X.509 name *globally*. There are multiple ugly kludges to get around the name problems as a result.

    This makes X.509 complex, fragile, and difficult to deploy correctly.

    But everyone (potentially) has a globally unique identifier-- the public part of an RSA key. Randomly generated, 2^42 512-bit RSA keys have a probability of colliding on the order of 2^(-429); even the SHA-1 hashes have a collision chance of 2^(-77). Keep in mind that we use 1024-bits as the default nowadays.

    So if you use the public key as a name, it solves a whole raft of problems.

    This is what SPKI/SDSI does. SPKI is key-centric; names are a local convenience; keys are bound to names instead of the other way around, and all names are local to that key. Every participant has a key pair. The public part is the identifier for the keyholder, and the keyholder authenticates himself simply by proving that he has the private part.

    Keep in mind that the whole issue of binding keys to actual people can't be addressed by a PKI, it has to be addressed by strong key storage and access controls and is the same across for X.509 and PGP/GPG as it is for SPKI.

    This is similar to the web of trust, but I don't need introducers (well-connected keys) to make it work right.

    SPKI goes on to recognize that since authentication is simple, what we really need from SPKI is authorization. The whole of SPKI is intended to define a flexible method of allowing authorization *and authorization delegation* in a simple, distributed fashion. SPKI defines an authorization *language* so that authorizations can be chained *without the SPKI library knowing what the tokens actually mean*. This means that a single library can handle the permission sets of all applications. In addition, the language rules prevent all entities in the chain of delegations from being able to exceed the permissions he was granted.

    Achieving the same under X.509 (using attribute certificates, for example) is next to impossible. ACs don't delegate (well, the standard itself says technically you can but you *shouldn't*); aren't truly distributed (i.e., the AC acts as a single choke point in granting permissions, which SPKI avoids), and doesn't model the way trust naturally flows in an organization of people (whereas SPKI allows you to source and pass around trusts in more natural ways).

    Very cool stuff. SPKI shows up in all kinds of places. Carl Ellison's homepage provides the best jumping-off point if you want to learn more:

    http://world.std.com/~cme/html/spki.html
  • Why not Mozilla.org? (Score:3, Interesting)

    by Can ( 21457 ) on Friday July 02, 2004 @08:35AM (#9591236)
    I'e often wondered why mozilla.org doesn't start their own CA. Sell certs for a reasonable price like $50, and people would probably happily pay that price to know that they are also support browser development. Plus, mozilla.org can be sure that their CA will be included in at least one browser... :-)

"If there isn't a population problem, why is the government putting cancer in the cigarettes?" -- the elder Steptoe, c. 1970

Working...