Re: [tlug] cacert question

[Raymond Wan <rwan.kyoto@example.com>]

Hi Kalin, Darren, and Stephen,

Thank you for the follow-up.  Up until now, I've been 
blissfully unaware of how this works within my browser. 
After Taisuke's talk about CAcert, I began to wonder how 
they differ and why one is better than the other.


On 24/02/11 10:40, Stephen J. Turnbull wrote:
...
>   >  Normally, to bill a credit card, they would need our signature; a
>   >  web-based transaction bypasses this requirement so perhaps credit
>   >  card companies have a say in how companies offer this service?
> That's false.  Long before the Internet, you could order goods by
> phone, and that is still a common way for criminals to launder stolen
> accounts because they can easily block the phone number.


Ah, that's true.  And perhaps it wasn't that long ago; I 
remember doing it.  I guess with the Internet, I have 
quickly forgotten about it.


>   >  Would I be correct in saying that there is no special requirement to
>   >  be a Root CA issuer?
>
> That's trivially correct, since anyone can self-sign.
>
> Being a Root CA is like being a Lloyds "name".  The important thing is
> that you have a fixed address and a well-known phone number to call
> when somebody wants to sue you.


Yes, that is what I thought an advantage of a Root CA would be.

IMHO, that's also an "advantage" of proprietary software 
like Windows [probably not a good thing to say on this list 
;-) ].  Despite its many problems, I guess it gives many 
people the illusion that you can sue them...much like what 
happened in the USA with Toyota.  However, I guess the EULA 
wouldn't allow you to?  Anyway, there is a fixed address, 
etc. for Microsoft as well and perhaps that's why some 
people still turn to it...


> That's very not nice, actually.  As usual, the reason for avoiding
> credit cards is 20% lack of trust in banks, and 95% being pretty sure
> that what you're doing is illegal and/or subject to taxes you would
> prefer to avoid paying.
>
> Note that the main reason that Ozawa and his henchmen are not (yet) in
> jail is that they were carrying around stacks of 10,000 1-man-en bills
> in paper bags.  If this had been done with bank accounts instead of
> cash, those guys would have been sharing cells with Horie (who did lie
> and got what he deserved, I guess) and Murakami (who got jailed for
> making money in the neighborhood of a liar -- there was no question of
> "insider" information since the information was originally developed
> by Murakami based on publicly available data).


Ah yes...perhaps I should trust credit cards a bit more.  As 
for Ozawa, I'm getting a bit tired of hearing about him. 
I'm surprised the Japanese media can talk about one topic 
for so long...  :-)

Hmmmm, all of your comments [not just Stephen's] still make 
me wonder (somewhat rhetorically) how browsers trust Root 
CAs in the first place.  Surely along a long line of trust, 
there is some weak point somewhere.  Someone who would reply 
when question, "What?  My brother just said he was going to 
borrow my hanko for a few minutes." or something like 
that...  :-)

Or put it another way, generally speaking, we hopefully 
trust our friends and maybe our friends' friends.  But I 
think this trust drops after a few degrees of separation. 
It's somewhat strange in this case that we're still using 
the word "trust", but it doesn't diminish with distance...

Ray