Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] cacert question



Hi Raymond,

It's a complex problem which questions multiple level of "trust".
It boils down to following (in)equation:

   verified != accountable != trustworthy

To give out credit card #, it (company you're shopping at) must be trustworthy.
But the truth is no RootCA actually provides that. It is you who's
deciding to trust.

I often shop at foreign web shop, but that's not because I trust it
100%, but because I have certain level of trust to "theft protection"
provided by my card issuer. That allows me to shop even if I only
trust something like 85%. And most of the "trust" comes from its page
content and reputation, not from being "verified" by cert.

Having a SSL-protected site doesn't directly increase my trust to the
shop, as it can be cheaply obtained. But it does increase my safety
from crack attempt by non-shop member. And I increase trust to the
shop by seeing that. Shop showed that it does care about customer's
safety, so I assume that shop does worth trusting more.

Now, part of this safety comes from "verification" done by RootCA. So
in theory, the more strict, the better. So now the question is

    How much verification is "enough"?
    Can it be automated? What part should be done by human?

For automated part, I think all RootCAs has almost the same level of
security, or at least, they can be made to have one.

Major difference resides in human-operated part. For this part, major
commercial RootCAs do have advantage over CAcert (at the expense of
higher cost).

- As all operation is done inside its organization, they have much
fewer people to go after in case of legal conflict.
- Depending on RootCA (and type of cert), human operator can take
extra, strict  effort to verify identity.

Note I wrote "Depending on RootCA". Today's low-cost issuers tends to
issue cert so easily, that I came to believe their reliability is
around same as CAcert.

   === Comparison of CAcert and "Low-Cost RootCAs (LCRs)" ===
  - LCRs only checks xerox-copy of ID card.
  - CAcert asks for face-to-face direct verification, by at least 3 people.
  - LCRs has shorter, and more reliable links to people to go after in
case of legal conflict.
  - CAcert has longer/complex, and less reliable links to people to go
after in case of legal conflict.

While CAcert can be operated in slack manner, I'd rank CAcert at the
same level of these LCRs. So the idea of CAcert is that while it's
hard to be more reliable than major (highly-reputated with reliable
track record) RootCAs, it's probably possible to build "good enough"
RootCA with community effort (because I does provide verification to
certain degree). I don't think CAcert will replace existing RootCAs,
but it can surely be a coexisting alternative.

VeriSign (and et.al.)'s EV-SSL is an effort to add more
"accountability" by even more strict operation. However, it's adding
extra layer/complexity (and $$$), and I doubt if people outside tech
industry ever understands what it means anyway...

> I thought I start a new thread rather than continue the other one...
>
> Thank you to the speakers for the talks on Saturday!  About cacert,
> after returning home, I was thinking about it.  Do we expect it to be
> a replacement for CA root some day?
>
> Perhaps I am missing something, but this kind of community-based
> system is only as strong as its weakest link.  Once someone is slack,
> then the problem propagates and it is difficult to correct the
> problem.  I can see the system being used to authenticate something
> unimportant like verifying an e-mail sender's identity.  But, I might
> be worried about authenticating a company that receives my credit card
> number -- seems there isn't any accountability?
>
> As an aside, one interesting story I read was about the USA and Canada
> border.  In the pre-9/11 days, you could cross the land border using a
> birth certificate or a driver's license.  Both were error prone since
> a birth certificate has no photo and each of the states/provinces have
> different driver license styles [unlike Japan which seems standardized
> nation-wide?].  So, immigration on both sides really just did their
> best.  So government identity cards aren't foolproof...actually, in a
> way, nothing is.  But maybe with a central authority that is use to
> seeing real identity cards, it will be harder to get fakes through?
>
> Anyway...have I missed something?  Or it's just that both sides have
> its advantages and disadvantages and neither is truly better?
>
> Ray
>
> --
> To unsubscribe from this mailing list,
> please see the instructions at http://lists.tlug.jp/list.html
>
> The TLUG mailing list is hosted by the award-winning Internet provider
> ASAHI Net.
> Visit ASAHI Net's English-language Web page: http://asahi-net.jp/en/
>


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links