Gervase Markham wrote:
You don't, necessarily. But if you don't, you can't expect others to trust your limited verifications.
In reality, how is our system any worst then any other? (before you answer that read the rest of my email) (sorry to others that have heard it before, but it's still holds true now as much as any time in the past)
Being blunt, the totality of your email makes it clear that you started from the viewpoint of "it's unfair that only companies have the ability to prove their identity and get SSL certs" and decided to reduce verification enough to let everyone else in, rather than starting from the viewpoint of "we need to be equally secure and verifiable; how do we do that in a not-for-profit context?".
It was also 2 or 3 am (it's now 5am and I'm in a worst frame of mind but I'll try again to get my point across) also I'm not the best at articulating into words what I am trying to get across.
goal: formalised and verifiable global verification system for the purpose of encryption deployment.
Basically this goal is unobtainable by any CA for the reason both Ian and I pointed out, no uniform ID systems exist that is a 1 size fits all across the entire planet. To make matters worst identity theft is rampant, even in the US (as noted by Ian's link), so if you have governments pro-actively working against tying up loopholes** in their own systems*, what hope do CAs have of actually vetting anyone in any existence, really is the person they're claiming to be? (If it's rampant in the US, imagine how bad it really is in countries that have much bigger issues then identity fraud)
In Boston last year, there were guys telling us how it took very little effort to get Dunn and Bradstreet to update information on companies to get certificates issued... So if you know how the system works, how hard is it to abuse it in reality?
Companies are getting code signing certificates for spyware, while technically this is valid, surely these are ethically and morally wrong? Isn't this what code signing was supposed to prevent?
When it boils down to it***, all a CA can do is view the evidence (bits of paper), record some of it, and pray their snake oil**** isn't discovered for what it really is, saying this company has this domain and they seem to have a piece of paper saying they have a right to use the domain. There of course is the bit you pointed out about not being fair... Why shouldn't a legal entity (not just companies, companies in most places are also considered legal entities as well) be entitled to the same protections just because they don't have a piece of paper issued by their respective governments saying they have a right to use even their own last names? Security last time I checked revolved around more then simple money matters, and the amount of uses of PKI certificates is increase well beyond simple websites. IMAPS, POP3S, SMTPTLS, IRCS, all valid uses (most/all have a password component) that don't want 3rd parties listening in, and it's already fact about different govt. agencies snooping on and treading all over the ability for us to ever hold a private conversation with another human being ever again.
I started out this venture a little naive, and have since gained a remarkable insight into what the PKI industry is all about, it's certainly not security, because you can't judge intent, just deal with it after the fact... As is most crimes such as identity theft, fraud etc... If you look at the patterns emerging it seems to me that everything is going the way of the domain industry several years ago... High prices and monopoly, to more open market and cheaper certificates, does this mean reduced checking or was there ever any decent checking in the first place?
Questions that should be asked is what people think CAs really should be doing and what they really are doing generally are 2 different things, CAcert being a slightly different case in the fact that virtually everything is so out in the open and for most part it's the general consensus that we go with.
So basically is CAcert facing more scrutiny and having to jump a higher bar then every other CA because we don't have the funds to put toward a webtrust audit? I'd be inclined to say it certainly perceived that way by an outsider.
Realistically I have lost count of the number of times people put questions to me "Why should we trust CAcert?" etc and these aren't people that have never used certificates of one kind or another before, but they are so well brain washed they never ever stopped to consider why they trust any other CA, it's just always been that way and how most people were told to accept it. So I reflect the question back to them and you can almost see a light bulb going off above their head at how the whole system is based on marketing a lot more then security. It's all a smoke and mirrors show put on to try and milk large gobs of money out of large corporates. This however is a failed marketing campaign to print money and the sum total of the SSL market is really quite poor if the truth be known (I know I was shocked at how tiny it really is!)
* Most ID is circular, in most countries you start off with a birth certificate, get a drivers license from your birth certificate, then passport, so on and so forth.
** 2 of the 9/11 terrorists held valid Virginia drivers licenses in fake names.
*** 10 myths of PKI, one of them is that the word "trust" with CAs really only means the CA is trust worthy enough to protect it's private key, it has no ability to really judge intent of a person requesting a certificate.
**** Another myth (the snake oil) is the fact that if you do get wrongly issued a certificate for a server unless you hijack the domain the certificate is basically useless. Obviously this doesn't apply to code signing or email certificates. So while it's harder to abuse a server certificate people were more inclined to accept weaker email certificates...
There is a million other discrepancies in the PKI industry, 10 myths of PKI is a good place to start...
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
