Karl Denninger <[EMAIL PROTECTED]> writes:
> On Mon, Mar 06, 2000 at 02:10:42PM -0800, EKR wrote:
> > The generation, no. However, in order for people sending you mail
> > to be sure that they are not subject to active key substitution
> > attacks, they key pair does need to be securely bound to the
> > recipient. Unless you're prepared to exchange keys with all of your
> > correcpondents out of band, you do need third party key certification.
> > PGP accomplishes this using key signing rather than certificates
> > per se, but it's an analagous concept.
>
> Understood.
>
> However, the concept that a PERSON needs to pay upwards of $100 to get a key
> by which they can have a SSL connection work from a web server is insane.
>
> Why are there no public CAs - much like the public keyrings for PGP?
>
> Why does Nutscrape and Microslug only ship with COMMERCIAL, and EXPENSIVE,
> CAs loaded?
I can't speak for the rationales behind MS or NSCP's policies, but
I don't think this is as simple as you make it out to be.
The issue is maintaining reference integrity for HTTPS transactions.
The client has in hand a URL of the form <https://www.example.com/>.
When he connects to the server, the server presents his certificate.
This certificate should have the identity "www.example.com" (in the
CN field). If it doesn't, then the browser will pop up a dialog
complaining about this. The reason for this check is (once again)
to prevent active substitution attacks whereby someone with a
legitimate certificate for a different e.g. "www.attacker.com"
poses as the server.
In order for this procedure to work correctly, the CAs must enforce
the binding between domain name and identity in certificate. If they
don't, then active attacks are possible. Thus, any CA trusted by MS or
NSCP must agree to these rules. But enforcing them is irritating and
expensive. I don't know of any non-commercial CA who promises
to do so.
Your comparison to PGP keyservers really isn't apt. PGP
keyservers are more like LDAP directories than CAs. The provider
of the keyserver doesn't vouch for the keys, he simply serves
them. The signatures on the keys are (usually) those of individuals.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
