Hi Kyle, This is a very interesting and extensive piece and I'm sure that no one gets offended here. Opinions are important in order to learn! Pleaser allow me some comments (without offense ;-))
Kyle Hamilton wrote: > have you ever tried to use signed > messages via Outlook Express over Hotmail? They append a Hotmail > footer to every message body, which invalidates the signature. Which is certainly a deficiency of MS. Interestingly they tend to support PKI usually.... > We only buy the > certificates for our servers because of the "Netscape Tax" -- the > requirement that Netscape built into its browsers that every server > must have a valid X.509 certificate signed by a pre-approved entity > that Netscape contracted with. Personally I was and still am working on making this argument a thing of the past. Today we have the StartCom CA which is "trusted" by many software vendors - also thanks to the Mozilla CA policy! There are very good arguments for "pre-approved" CA's, since the PKI model relies on a certain liability and responsibility by all parties involved. And as StartCom has proved, that the costs for digital certification is not a criteria for CA's! > > The amount of information in a certificate is staggering. > The certified information is so hidden by the chrome of every > application that uses it that it's only the most truly paranoid > people who look at it anyway. > ...and even then, the information they need to see isn't put in front > of their face when they double-click the lock icon, they instead get > a completely worthless explanation of just what 'security' (in the > context of an un-wiretappable TCP connection) means. It takes at > least one more click to see the information that the X.509 > certificate is supposed to certify. > I'm absolutely agreeing with you! Personally I tried to push for a change in order to make this important information more easy accessible. I still believe that things must be changed - even after the new implementation for FF3 which might be somewhat better. Information about the subscribers shouldn't be hidden away as far as possible, but be the first thing one sees. Instead we have "Authenticated by StartCom Ltd.". > > And why is there such a concept of a 'signed certificate' being a > magical and mystical string of bits that only an approved entity can > issue? Well, it isn't actually! But for the relying party it's important to know that a certain standard and conditions are fulfilled by the issuing CA. Remember, certificates are important for the relying party, not the certificate holder. It is a very common misconception that digital certification is for them, which it's not! It's about the party which has to rely on it. (Agreed that this misconception is a direct result of the Netscape - Verisign pair from the 90's) > > At the moment, OpenID is more useful and usable than X.509. OH NO! Nobody can rely on any OpenID information! First of all, OpenID is a (web)SSO and replacement for the username/password pair for login facilities. It can't and doesn't say anything about the ID nor has anything been verified ever. Please see also https://blog.startcom.org/?p=20 Nor has OpenID ANYTHING to do with cryptography! Where is the comparison to it? Which data can I exchange with OpenID? Which documents move securely from A to B? Which traceable information can I retain for my online purchase? Where does OpenID prevent eavesdropping? Either you haven't understood what OpenID is about or maybe what x509 is about or both. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
