On Wed, May 18, 2005 at 03:58:08PM -0700, Justin Karneges wrote: > On Wednesday 18 May 2005 12:43 pm, Peter Saint-Andre wrote: > > We can debate which of these approaches is superior > > The problem isn't the approach, as any is far too complicated for the layman > to understand, but rather the problem is of which CAs to trust. The fact is, > CAcert is not installed by default into any root cert storage, thus reducing > its usability to that of PGP. For CAcert to be usable, it _needs_ to be in > the everyone's root cert storage (cue related chicken-and-egg discussion > about Jabber). > > I've read their web page, and they sound like a good, honest, > security-minded, > and geeky bunch. There was a request to have their cert added into Psi. The > question is, am I qualified to make such a decision given all of the security > concerns that may go along with it? The answer is no. Too much rests on > X.509, despite how much we hate paying for domain certs. Instead, I decided > to wait-and-see what Mozilla will do. > > Mozilla's selection of certificates is not random. There is a metric for > deciding which CAs are trustworthy, called WebTrust. Since CAcert is not > certified by WebTrust, folks maintaining root storages are stuck. They want > to trust CAcert because they like the notion, but going against WebTrust > would undermine the whole X.509 system. If it's ok to violate the rules > because of a feel-good hunch, we're doomed. > > Either CAcert needs to be WebTrust certified (company Foo with a million > dollars, would you please stand up for this noble cause?), or we need to > create a new metric for trusting CAs, which could be another grass-roots > effort, independent of CAcert. It doesn't matter at all if Verisign sucks or > that WebTrust sucks. The fact is we need _some_ system, and we either need > to work within it or change it. > > > Outside of CAcert, XMPP servers could of course also trust the same CAs > > that are trusted by, say, Mozilla > > Obviously. XMPP servers are no different than clients in this regard, which > also trust the same CAs as Mozilla.
Well, I suggest doing some research on the matter of root CAs. The existing root CA lists were decided upon in a rather arbitrary fashion (the ca-cundle.crt file you see floating around was defined back in the year 2000 or whatever and has not changed since), and I think Netscape didn't really have an official policy on the matter. CAcert's request to be added to the Mozilla list has exposed the fact that there really were no policies in effect before -- now they are being defined. The WebTrust stuff can be seen as an effort to circle the wagons and prevent new entrants into the CA market (especially inexpensive entrants). In fact there are many many questions one could raise about the conflicts of interest in the existing CA universe, the ethical status of VeriSign, and much more. To reduce the question to "I'll trust whatever Mozilla trusts" simplifies the decision for you but then you have abdicated judgment. /psa _______________________________________________ jdev mailing list [email protected] http://mail.jabber.org/mailman/listinfo/jdev
