On Wed, 26 Sep 2007 20:59:12 +1200 Raffael <[EMAIL PROTECTED]> wrote:
> Hey Volker, > > > Volker Kuhlmann wrote: > > On Tue 25 Sep 2007 20:57:48 NZST +1200, Christopher Sawtell wrote: > >> Adding a certificate yourself is not exactly mind-boggling science. > > > > Browser: Settings->crypto config->yadda->import > > > > There are 2 major problems with this: > > > > 1) My $RELATIVE would be able to do it with a bit of talking. They would > > however not be able to assess and understand the security implications > > of this. > > > Thats a general problem. Most people don't even know/care about sending > their credentials in PLAINTEXT over the net while logging in to their > mail account (e.g. everyone [EMAIL PROTECTED] who doesn't use webmail). > And then all the private data in their emails, webforms, ... personally, I use plaintext authentication over a tls session. And I signed the certificate on my server. > > > 2) Every single user of my website will have to do it. This is a k.o. > > for ecommerce and many other sites. > > > So you are not seeing the advantage of CAcert? What about the 5000-8000 > CAcert certificates issued every month (ok, probably not all server certs)? I think you're blindly centring on one of the two uses of a certificate in this scenatio. Yes the data's encrypted, but no, there's proof that the certifiate issuer is genuine. > > >> imho, this whole CA lark is just that. A lark to wrought money out of > >> the ignorant and innocent. > > > > Ack, the certificate mafia holding everyone at gunpoint. They do provide > > a necessary service (it solves 2) above), but not at a price remotely > > proportionate to the cost of providing it. > > > >> of money! I really do not know any of them, so why should I trust > >> them for even a moment to say that some A. N. Other is trustworthy? > > > > Their promises as to a 3rd party identity may not be worth much, but > > epsilon divided by 0 is still infinitely more than 0 ... :) > > > > There are 2 different cases we need to keep distinguishing here: I set > > up a website for a limited target audience each member of which I can > > personally provide with a certificate. Nothing will beat my self-made > > self-signed certificate. The other is where there can not be a personal > > relationship between 2 parties, hence the delegation of trust to a trust > > network. > > > > Coming back to CAcert, I'm afraid their website doesn't inspire me with > > more confidence than a cert issued by Verislime&Co(TM), their idea is > > good though, although the current state of affairs is not much better > > with using a CAcert instead of a seld-made one, AFAICT. The previously > > referenced Mozilla bug is donkeys years old and the CAcert CA still > > isn't in Mozilla. > > A CA (Certification Authority) is defined as Independent and trustworthy > entity. By whom? Given the size of the local community, it's not their peers. > CAcert provides me with a certain trust, that the website I am looking > at, and the provided certificate belong together. Additionally I know, > the identity of the certificate holder was checked by at least two[1] > other persons. And how many of these multi-pointed personages will I be meeting in Christchurch? Who's to say that they are people of unblemished record, and not just a bunch of criminals grouping together. This is the core problem with the web of trust concept. OK, the thawtes and verisigns of this world are amazingly expensive for what they deliver - and their salespeople are amongst the more offensive on or off the net - but they do deliver and do guarantee their services, and they are commercial businesses. Read their smallish print. > > The other reason, why I use CAcert, is the GnuPG key signing feature. > Now I don't need to bother collecting more and more signatures on my > GnuPG key ;-) No, a third party, who's security practices are unknown is holding them too. But it doesn't work too well though, there's 'no public key to verify the signature' on this email, acording to my mail client. > > Cheers, > Raffael stuck in the WebOfTrust > > > [1] if those persons are fully assured (150 points) Hey, Sideshow Bob's probably going to be our new mayor, so loads of people are doing the same thing to him. I don't trust him either, but at least I've met him! > >
