Re: Verisign/NSI/Thawte monopoly
On Thu, 30 Mar 2000, Thomas Reinke wrote: [EMAIL PROTECTED] wrote: So it seems to me that while the cert may certify that said organization is who they say they are - nobody seems to ask if who they say they are has any relevance to anything. [snip] Look back to the problem it is solving a) SSL makes sure no-one can intercept communications meant to be private b) Certificates authenticate that the person is who they say they are. ??? This is not a statement of a problem. What is the problem that is solved by these properties, and how does that relate to a problem that someone actually wants to solve? Trust goes to trusting that second statement, not the trustworthiness of the company behind the statement. If we don't trust the CA, why should we trust the cert.s that it issues? What basis would we have for trusting A's certification that a certificate asserting that it belogs to B was in fact issued to B, other than to trust that A has diligently investigated the requestor's claims and met our standards for establishing that that person is in fact B? -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] "Where's the kaboom? There was supposed to be an Earth-shattering kaboom!" -- Marvin Martian, 01/01/2000 00:00:00 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Verisign/NSI/Thawte monopoly
On Thu, 30 Mar 2000 [EMAIL PROTECTED] wrote: You missed my point. Read on... b) Certificates authenticate that the person is who they say they are. Trust goes to trusting that second statement, not the trustworthiness of the company behind the statement. People in general presume that when they see the little key that they are dealing with a "bonified" business. Yes, I know that the certification process does not do this. And since it doesn't do this it isn't worth much. Now I am surprised. The key only means that you have a reasonably secure channel to an unknown endpoint. Do lots of people really believe that it means any more than that? That is frightening. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] "Where's the kaboom? There was supposed to be an Earth-shattering kaboom!" -- Marvin Martian, 01/01/2000 00:00:00 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Verisign/NSI/Thawte monopoly
[EMAIL PROTECTED] wrote: So it seems to me that while the cert may certify that said organization is who they say they are - nobody seems to ask if who they say they are has any relevance to anything. [snip] Look back to the problem it is solving a) SSL makes sure no-one can intercept communications meant to be private b) Certificates authenticate that the person is who they say they are. Trust goes to trusting that second statement, not the trustworthiness of the company behind the statement. = [snip] Or to put it another way - I do business and I deal with my bank for instance. I trust my bank... and I would be quite happy if my bank issued a cert for me to use that authenticates that my company is a good corporate citizen and in good standing with the bank at least. A cert from my bank would mean something. A cert from Thawte does not and neither does a cert from Verisign. Since my bank for instance would be considered probably by the vast majority of customers to be a far more reliable measure of e-commerce trustworthiness, why should my bank be forced into the situation of having to fork over hundred's of thousands or even millions for literally NOTHING... if it wants to issue a cert? Getting a bank account is just as trivial and does NOT add anything to the value of the trustworthiness of the company. It just says that (in your example) that the fraudster went with a piece of ID such as a birth certificate, drivers license (again easily duplicated) and his company papers and opened up an account for that company. This is a ransom fee and little more. = I think it is quite germain to us who develope the keys that enable internet commerce and security to look at the broader issue of who controls and profits from the technology we develop. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Verisign/NSI/Thawte monopoly
You missed my point. Read on... b) Certificates authenticate that the person is who they say they are. Trust goes to trusting that second statement, not the trustworthiness of the company behind the statement. People in general presume that when they see the little key that they are dealing with a "bonified" business. Yes, I know that the certification process does not do this. And since it doesn't do this it isn't worth much. Getting a bank account is just as trivial and does NOT add anything to the value of the trustworthiness of the company. It just says that (in your example) that the fraudster went with a piece of ID such as a birth certificate, drivers license (again easily duplicated) and his company papers and opened up an account for that company. It SURE IS worth something. Banks have filing requirments and they generally KNOW their customers. Furthermore there are a number of credit reporting agencies affiliated and you can contact a number of them and get credit information before you deal with the company. But I think you sort of made my point here - if the bank - which generally KNOWS its customers - doesn't provide much of anything in the way of saying anything about the "legitimacy" of a business, then a cert from any of the present CA's says even less. You note tht the bank is not in the position of charging you several hundered per year for your bank account number. Verisign is exactly in this position and is doing it. Furthermore - if you bill over the internet via say VISA or pretty much ANY credit card for that matter - the banks will require you to deposit sufficient funds so that if there is ANY dispute over whether the transaction is legitimate - then YOU, as the MERCHANT, carry full responsibility and the customer need only complain and ask for his money returned. And if you end up with a sizeable number of chargebacks I can assure you that your merchant VISA account will be cancelled. So there is accountability imposed by the banking side of the e-commerse system. To put it succintly - if you have a merchant VISA account and can bill via the net - this means something - and in fact the merchant VISA number which shows up on your visa bill is a GOOD measure of authenticity. Anyone can get Verisign to issue a cert - but the standards for a merchant account aren't quite so simple. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
Err Verisign bought Thawte last year :) At 09:45 pm 28/03/00, you wrote: Gee, Before I get flamed for the Subject: Of course, Verisign and Thawte are American and South African companies, so cannot be a monopoly(Two American companies doing this likely would), and of course NSI, the major marketer of Versign certs, is a registrar for domains, and this cannot be considered as a monopoly either. First I've heard any comments on the list, and I've been listening for a while now. You may want to check out the project forming at http://www.freecert.org Bill Laakkonen On 28 Mar 00, at 10:30, Tariq Habib wrote: I fully support your point of view. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 28, 2000 5:20 AM To: [EMAIL PROTECTED] Subject: Verisign I just found out that Verising has aquired NSI. A short while back they aquired Thawte . I think some of us should be looking into ways to get certs from a "real" competitor to Verisign recognized by IE and Netscape. I know that netscape allows easy importation of a cert and that IE is a bit of a bugger - but for the vast majority of the great unwashed public they need a "clean" simple and brain-dead solution or they will continue to go with the flow. Consentration of economic power like we see in Verisign at this point is NEVER healthy - or am I overreacting? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
Gee, Before I get flamed for the Subject: Of course, Verisign and Thawte are American and South African companies, so cannot be a monopoly(Two American companies doing this likely would), and of course NSI, the major marketer of Versign certs, is a registrar for domains, and this cannot be considered as a monopoly either. First I've heard any comments on the list, and I've been listening for a while now. You may want to check out the project forming at http://www.freecert.org Bill Laakkonen On 28 Mar 00, at 10:30, Tariq Habib wrote: I fully support your point of view. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 28, 2000 5:20 AM To: [EMAIL PROTECTED] Subject: Verisign I just found out that Verising has aquired NSI. A short while back they aquired Thawte . I think some of us should be looking into ways to get certs from a "real" competitor to Verisign recognized by IE and Netscape. I know that netscape allows easy importation of a cert and that IE is a bit of a bugger - but for the vast majority of the great unwashed public they need a "clean" simple and brain-dead solution or they will continue to go with the flow. Consentration of economic power like we see in Verisign at this point is NEVER healthy - or am I overreacting? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
-BEGIN PGP SIGNED MESSAGE- It's time to have some kind of governing body to force the browser makers include all accredited CA's in the list of automatically trusted CA's. Not the ones that pay them big $$$. Cheers Paul On Tue, 28 Mar 2000, you wrote: Gee, Before I get flamed for the Subject: Of course, Verisign and Thawte are American and South African companies, so cannot be a monopoly(Two American companies doing this likely would), and of course NSI, the major marketer of Versign certs, is a registrar for domains, and this cannot be considered as a monopoly either. First I've heard any comments on the list, and I've been listening for a while now. You may want to check out the project forming at http://www.freecert.org Bill Laakkonen On 28 Mar 00, at 10:30, Tariq Habib wrote: I fully support your point of view. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 28, 2000 5:20 AM To: [EMAIL PROTECTED] Subject: Verisign I just found out that Verising has aquired NSI. A short while back they aquired Thawte . I think some of us should be looking into ways to get certs from a "real" competitor to Verisign recognized by IE and Netscape. I know that netscape allows easy importation of a cert and that IE is a bit of a bugger - but for the vast majority of the great unwashed public they need a "clean" simple and brain-dead solution or they will continue to go with the flow. Consentration of economic power like we see in Verisign at this point is NEVER healthy - or am I overreacting? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - -- * Paul Khavkine Tucows International Corp. 96 Mowat Avenue Toronto, Ontario M6K 3M1 [EMAIL PROTECTED] ICQ: 8882921 PGP Key: Type Bits/KeyID Date User ID pub 2048/D467B527 1999/04/12 Paul Khavkine [EMAIL PROTECTED] Key fingerprint = 33 92 6A 87 23 81 3F 44 5A 7D F3 8F 03 CE 2D 60 -BEGIN PGP SIGNATURE- Version: 2.6.3i Charset: noconv iQEVAwUBOODiTVj6i6zUZ7UnAQFRNgf+MSxj9u9GdGLm6TpUXsMHyemvN2WIQdcQ UpAtcJF3aBaF0HQplK+/UfS2ChcpEMRhNo/RtjgIpyTjdHn0R+609goXUpMB/jaE Ihoi9XL8KytxVMBWx3uyqauh2v5pAfylfkg1zu49WC91N7DmkuXKwVDZDM7C+68V zc9wLeXd3M2HkWQKCQsLuW2yuVS2oBgX+Pkjsxi/kEv5aTDCNAcoFZ4iF53uL2Sv JVugA76jk9zt4vU8e5pRq8fnWZx7pzzMx6nlLxZBCTy2nKk2zh/rvQcJtWORabwv LChQGnt+nNbKMkCBAPdFCbqbeyJvJrq+d2Jx4WvVTKFypWGb9nqELA== =RYkF -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
This is way off-topic, but: force the browser makers include all accredited CA's in the list Please define "accredited CA" But somewhere else, not this list. :) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
Hi there, It's time to have some kind of governing body to force the browser makers include all accredited CA's in the list of automatically trusted CA's. Not the ones that pay them big $$$. Only if they also ensure that the CAs also pass some level of periodic audit-review to ensure they're worthy of "assumed trustworthiness" by the millions of unwitting dupes out there ... namely us, the browser users. Without such an *international* standards mechanism in place (this should not be another US-controlled thing IMHO), *no* CAs should be installed by default, after all - if the CA hasn't been validated by some public body as worthy of issuing certificates of identity (or corporation, or whatever) then it is only superior to my own cooked up CA by way of its size, PR, and operational capacity (it can blindly stamp certificates at a greater rate per hour than I can). Hence, without any such independant review, their CA cert deserves to be embedded in the browser no more than mine does. So the question is not so much "who else deserves to have a CA cert included in the browser", but rather "do the CA certs embedded in the browser deserve to be there". There's a subtle but salient distinction. You're certainly right that getting a CA cert embedded in the browsers through an exchange of funds is highly unethical ... bundling audio-visual tools, ISP service promotions, etc is a pain, but that's business and you can understand that - even if it's annoying. However, a browser's handling of security, and certification in particular, is an issue that begins to touch on areas of civil-liberties, privacy, trade-secrets, law (eg. digitial signature legislation, credit-card fraud), and perhaps (for the first time I have ever found it acceptable to use this phrase) "national security". On reflection of that, buying a place in the trusted root cert repository is a highly immoral, unethical, and corrupt process. After all, for 99.9% of the populus, the embedded CA certs in their browser are effectively the "arbiters of identity" on the Internet ... a dubious role for private software companies to just be handing out to the highest bidders. Just my $0.02 worth ... (which will *not* buy my way into those root cert stores, but then the current quality of browser security does not provide too many obstacles to me forcing its way in there anyway). :-) Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Verisign/NSI/Thawte monopoly
[EMAIL PROTECTED] wrote: Gee, Before I get flamed for the Subject: Of course, Verisign and Thawte are American and South African companies, so cannot be a monopoly You are not well informed on the subject of law in the EU or US. A merger, acquisition or other alliance that does or has the potential to significantly reduce competition falls under numerous statutes. The fact that these companies are registered in different countries is irrelevant -- where they sell their products is what counts. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
Odpowiedz automatyczna: Do 31 marca jestem na szkoleniu. W pilnych sprawach prosze o kontakt z Romanem Iwanickim. Z powazaniem, Michal Trojnara "[EMAIL PROTECTED]" 03/29/00 01:18 hi, IMHO someone should create a central trusted CA that is open sourced for all to trust however that would take some doing..;-)) ..anyone interested:-)) On Tue, 28 Mar 2000, Hostmaster wrote: There is no governing body that I am aware of. Is it to be yet another Amercian led thing? That is what got things to the state they're in now. Also, what would be an appropriate list to discuss these things, if not openssl-users? Bill Laakkonen www.im1.net -BEGIN PGP SIGNED MESSAGE- It's time to have some kind of governing body to force the browser makers include all accredited CA's in the list of automatically trusted CA's. Not the ones that pay them big $$$. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- ___ ** DREAMWVR.COM - TOTAL INTERNET SERVICES TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here.. http://www.dreamwvr.com/services/MAX_SEC.html DREAMWVR.COM - The Console of Many... 90 Topics Covered http://www.dreamwvr.com/dynamicduo.html mailto:[EMAIL PROTECTED] - LINUX-MANDRAKE Solution Provider and North American Distributor - PRODUCT OF THE YEAR! http://www.dreamwvr.com/mandrake/mandrake-main.html "===0 PGP Key Available *** "As Unique as the Company You Keep." * "If anyone speaks from DREAMWVR.COM its certainly not me:-)" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
Hi, Take a look at http://www.openca.org Sam Stern, Bethesda, MD, USA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of dreamwvr Sent: Tuesday, March 28, 2000 6:18 PM To: [EMAIL PROTECTED]; Hostmaster; [EMAIL PROTECTED] Subject: RE: Verisign/NSI/Thawte monopoly hi, IMHO someone should create a central trusted CA that is open sourced for all to trust however that would take some doing..;-)) ..anyone interested:-)) On Tue, 28 Mar 2000, Hostmaster wrote: There is no governing body that I am aware of. Is it to be yet another Amercian led thing? That is what got things to the state they're in now. Also, what would be an appropriate list to discuss these things, if not openssl-users? Bill Laakkonen www.im1.net -BEGIN PGP SIGNED MESSAGE- It's time to have some kind of governing body to force the browser makers include all accredited CA's in the list of automatically trusted CA's. Not the ones that pay them big $$$. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- __ _ ** DREAMWVR.COM - TOTAL INTERNET SERVICES TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here.. http://www.dreamwvr.com/services/MAX_SEC.html DREAMWVR.COM - The Console of Many... 90 Topics Covered http://www.dreamwvr.com/dynamicduo.html mailto:[EMAIL PROTECTED] - LINUX-MANDRAKE Solution Provider and North American Distributor - PRODUCT OF THE YEAR! http://www.dreamwvr.com/mandrake/mandrake-main.html "===0 PGP Key Available *** "As Unique as the Company You Keep." * "If anyone speaks from DREAMWVR.COM its certainly not me:-)" __ __ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
On Tuesday, March 28, 2000 at 04:18:15 PM, [EMAIL PROTECTED] wrote: hi, IMHO someone should create a central trusted CA that is open sourced for all to trust however that would take some doing..;-)) ..anyone interested:-)) I'm game for putting in some time/effort - but I think you're possibly underestimating the sheer volume of work that would go into creating a CA that *everyone* would trust. You'd have to do an awful lot of verification work on each and every cert (personal or server) before anyone trusted you... let alone all of them. That said... if someone has an idea of how to do this and make it work, count me in. :) Kevin Kevin Evans | [EMAIL PROTECTED] A government big enough to give you everything you want is a government big enough to take from you everything that you have. --- Gerald Ford #!/bin/perl -sp0777iX+d*lMLa^*lN%0]dsXx++lMlN/dsM0j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) -- Are you a citizen of the walled city? Free Webmail | Privacy Encryption http://www.thewalledcity.net/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
I looked closely into purchasing a cert from Thawte and it is still something WE'll have to do. What strikes me though is that it seems to me that there is no real value in such a thing. I can for instance incorporate a company and shell out about $200 and get my cert. After that everyone trusts me. Total cost is oh about $500 or so if I do the incorportion myself. This is pretty trivial actually. I could be in jail for FRAUD and still get a cert. So it seems to me that while the cert may certify that said organization is who they say they are - nobody seems to ask if who they say they are has any relevance to anything. I fact - I'll bet I can go down to our local government offices in Canada and register Ajax Web Contractors and then send a cert request on to Thawte and since Ajax now exists and is legitamately registered as say a "sole proprietorship" - the cert will be issued. Last time I registered a "sole proprietorship" it cost me $5.00 and I don't recall them asking for ID. The problem of course is that a chain is only as strong as its weakest link and the threads that bind cert security together appear really tenuous to me. = That having been said - we have a very practical problem on our hands. Microsoft saw fit to include a very LIMITED number of cert issuing authorities in IE and the majority of people use IE. IMHO there IS no security in a windows system anyway and precious little in the fact that somebody issued said cert to said fly-by-night ecommerce organization. Still - people want to see the little key-lock on and certain commercial interests know this and are busy purchasing the key players in the interest of milking cyberspace - with I might add - little consern as to the INTENT of a certification process. I therefore see no moral reasons why we just don't go into IE and patch a few files to introduce a few new players. I suspect there will be a moral outcry over such a suggestion but the other alternative seems to be for each of us who has an e-commerce interest - to quietly hand over to some wealthy American interests a ransom for the priviledge of doing e-commerce. Or to put it another way - I do business and I deal with my bank for instance. I trust my bank... and I would be quite happy if my bank issued a cert for me to use that authenticates that my company is a good corporate citizen and in good standing with the bank at least. A cert from my bank would mean something. A cert from Thawte does not and neither does a cert from Verisign. Since my bank for instance would be considered probably by the vast majority of customers to be a far more reliable measure of e-commerce trustworthiness, why should my bank be forced into the situation of having to fork over hundred's of thousands or even millions for literally NOTHING... if it wants to issue a cert? This is a ransom fee and little more. = I think it is quite germain to us who develope the keys that enable internet commerce and security to look at the broader issue of who controls and profits from the technology we develop. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]