On Wednesday 18 May 2005 12:43 pm, Peter Saint-Andre wrote: > We can debate which of these approaches is superior
The problem isn't the approach, as any is far too complicated for the layman to understand, but rather the problem is of which CAs to trust. The fact is, CAcert is not installed by default into any root cert storage, thus reducing its usability to that of PGP. For CAcert to be usable, it _needs_ to be in the everyone's root cert storage (cue related chicken-and-egg discussion about Jabber). I've read their web page, and they sound like a good, honest, security-minded, and geeky bunch. There was a request to have their cert added into Psi. The question is, am I qualified to make such a decision given all of the security concerns that may go along with it? The answer is no. Too much rests on X.509, despite how much we hate paying for domain certs. Instead, I decided to wait-and-see what Mozilla will do. Mozilla's selection of certificates is not random. There is a metric for deciding which CAs are trustworthy, called WebTrust. Since CAcert is not certified by WebTrust, folks maintaining root storages are stuck. They want to trust CAcert because they like the notion, but going against WebTrust would undermine the whole X.509 system. If it's ok to violate the rules because of a feel-good hunch, we're doomed. Either CAcert needs to be WebTrust certified (company Foo with a million dollars, would you please stand up for this noble cause?), or we need to create a new metric for trusting CAs, which could be another grass-roots effort, independent of CAcert. It doesn't matter at all if Verisign sucks or that WebTrust sucks. The fact is we need _some_ system, and we either need to work within it or change it. > Outside of CAcert, XMPP servers could of course also trust the same CAs > that are trusted by, say, Mozilla Obviously. XMPP servers are no different than clients in this regard, which also trust the same CAs as Mozilla. -Justin _______________________________________________ jdev mailing list [email protected] http://mail.jabber.org/mailman/listinfo/jdev
