Re: [tlug] cacert question

["Stephen J. Turnbull" <stephen@example.com>]

Raymond Wan writes:

 > If I understand the system correctly...Amazon could have created their
 > own certificates and thus be their own Root CA.  But they go to
 > Verisign or whoever because ... I don't know why?

Because any man-in-the-middle can be their own Root CA.  That's no
better than having no certificate at all.  Unless you save Amazon's
cert, you cannot be sure from one access to the next that you're
talking to the same Amazon.  Saving all certs would be a large burden
on clients, and worse, it would involve substantial setup (eg, a phone
call or personal visit) to bootstrap *each* new partner.

With a Root CA, on the other hand, you have a *single* cert to
remember (actually, a short list), and this is distributed with common
browsers.

 > Could credit card companies such as Visa impose a requirement on
 > web-based companies to go to a third party to obtain certificates?

They could, but I don't know that they do.  Per the above, they don't
need to.

 > Normally, to bill a credit card, they would need our signature; a
 > web-based transaction bypasses this requirement so perhaps credit
 > card companies have a say in how companies offer this service?

That's false.  Long before the Internet, you could order goods by
phone, and that is still a common way for criminals to launder stolen
accounts because they can easily block the phone number.

 > > Major difference resides in human-operated part. For this part, major
 > > commercial RootCAs do have advantage over CAcert (at the expense of
 > > higher cost).
 > > - As all operation is done inside its organization, they have much
 > > fewer people to go after in case of legal conflict.
 > > - Depending on RootCA (and type of cert), human operator can take
 > > extra, strict  effort to verify identity.

But the main feature (having a short list of Root CAs) is the same.

 > Yes, you are right -- not all Root CAs are the same.  No doubt some
 > have entered the business to make money...

All commercial ones did, by definition.  It's only the clientele that
differs.

 > Would I be correct in saying that there is no special requirement to
 > be a Root CA issuer?

That's trivially correct, since anyone can self-sign.

Being a Root CA is like being a Lloyds "name".  The important thing is
that you have a fixed address and a well-known phone number to call
when somebody wants to sue you.

 > 4 digits.  Not very secure!  One nice thing is that Japan doesn't seem
 > so reliant on credit cards...

That's very not nice, actually.  As usual, the reason for avoiding
credit cards is 20% lack of trust in banks, and 95% being pretty sure
that what you're doing is illegal and/or subject to taxes you would
prefer to avoid paying.

Note that the main reason that Ozawa and his henchmen are not (yet) in
jail is that they were carrying around stacks of 10,000 1-man-en bills
in paper bags.  If this had been done with bank accounts instead of
cash, those guys would have been sharing cells with Horie (who did lie
and got what he deserved, I guess) and Murakami (who got jailed for
making money in the neighborhood of a liar -- there was no question of
"insider" information since the information was originally developed
by Murakami based on publicly available data).