Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] cacert question



On 24/02/11 15:32, Stephen J. Turnbull wrote:
Raymond Wan writes:

  >  >  Being a Root CA is like being a Lloyds "name".  The important thing is
  >  >  that you have a fixed address and a well-known phone number to call
  >  >  when somebody wants to sue you.
  >
  >  IMHO, that's also an "advantage" of proprietary software

Not really.  The EULA says the same thing as the GPL: NO WARRANTY.  So
winning such a lawsuit is not very likely.


Yes, that's true. I suppose the average consumer clicks "Agree" without actually reading it and perhaps is not fully aware of the EULA. If some big problem happened [big enough to rival the Toyota braking problem], then maybe the words of the EULA will be put under the spotlight. But, such a spotlight may still not have an effect.


The advantage of proprietary software is in its unique features,
presumably protected by law, and if you're lucky, in the afterservice
that monopoly revenues allow it to provide.  But in general, there is
no visible difference in code quality or real warrantees for people
unwilling to pay up front for a service contract.  (There is a quality
advantage to proprietary software, however: that monopoly revenue also
allows them to provide a myriad of tiny features that are boring and
unfun to provide.  Eg, the various images and stuff that come with MS
Office, and the slick default themes.)


Well, I'm not trying to defend Microsoft [really, I am a Linux user and not a spy :-) ], but many Microsoft-haters aren't aware of the work that comes out of Microsoft Research. I think they do a lot of work in natural language processing, speech recognition, and search engines. Of course, such work is motivated by business, but it is still advancing research.

I'm sure there was some division in Microsoft Research that was responsible for the Paperclip (tm). :-)


They have a very specific, very circular, definition of trust.  "I
trust that this server is the same server that signed up with the Root
CA in the first place."  SSL is intended to protect you from ordinary
wiretapping.  Root CAs protect you from wiretapping where you call a
known number and you end up connected to somebody else.

There's nothing here that says that you can trust the entity at the
other end of the wire, or very little that says you really know who
they are.  It's up to you to check that the "amazon-com.com" that
offers you a certificate digitally signed by Entrust is really the
well-known bookseller.  And of course there's nothing at Entrust that
says that Jeff Bezos is more honest than Takafumi Horie.  (Hint:
Amazon.com is a Verisign customer....)


Ah, I see -- thank you for helping me make the distinction between the two -- SSL and Root CAs.


  >  It's somewhat strange in this case that we're still using
  >  the word "trust", but it doesn't diminish with distance...

It *does* diminish with distance.  That's why every CACert member must
meet you *personally* before giving you points.  Each one is Kibo
distance[1] one from you, and then they can add on their points to you.

See the GPG book for how longer chains of trust work.  They do indeed
diminish with distance.


Hmmm, that's true about personally meeting. But if we have a chain of people meeting each other:

A --> B --> C --> D --> E

then A and E are in the same "web of trust", despite them never having met each other. And if C was somehow slack, then the web is only as good as the weakest link.

On the other hand, for a CAcert member to issue a cert for a long enough duration, s/he had to have met many people. So, I guess this is the main safeguard. I see.


Footnotes:
[1]  Look up "Kibo" in some trove of 'net-lore.  If you have shaken
hands with Kibo, you have an (unofficial) distance of one.  Official
kibo distances are measured by the minimum number of links in a chain
of "I got an email from X who got one from Y who got one from Z who
got one directly from Kibo."  (Personal contact is not taken into
account for official distance.  I have a Kibo distance of 2.)


I've never heard of Kibo in this context; I'll be sure to look it up. Sounds similar to the Erdos number of research in mathematics.

Thank you all for your help in understand cacert! Have a good weekend!

Ray




Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links