Massimiliano Pala wrote:
> It seems the basic idea circulating is: we do provide a
> certification authority
> without any liability from our side (we do not guarantee that
> certificates' signature
> can be recognized in any way legally bionding), just like the
> Verisign certificates
> are. Indeed when you request a verisign's certificate you are
> not request for id
> proof or anything ... just submit a form, that's all.
That's not quite true for verisign. If you take a look at:
https://www.verisign.com/repository/CPS1.2/CPSCH4.HTM
under class 3 /Business Entities: Required Information
Even for a class 1 (e-mail) certificate you cannot just submit
a form, you would also have to prove that you have access to that
e-mail account.
They even offer a limited form of insurance:
https://www.verisign.com/repository/netsure/index.html
Hmmm - this is beginning to sound like I'm pro verisign, which I'm
definetely not. I think my message is that it isn't simple to set
up a CA (I should know, since that is what I do for a living ;-).
I suppose you could argue that since Verisign try to avoid any form
of liability, then they cannot be trusted. But when you look
through their CPS - http://www.verisign.com/repository/CPS/ then
you can see that they do a bit more than just sign the certificates.
IMHO a CA that signs just about anything without at least a minimum
of verification is something that really isn't worth anything except
for testing puposes. It can hardly be trusted to be any better than
a self signed certificate.
>
> In this framework the new Open-World-Driven CA is due to operate.
>
Just to be sure: You want to set up a CA that will issue
certificates based only on user input and not in any way validate
what it is signing?
I personally would think that setting up a serious[1] alternative to
verisign would be the way to go. Something like what Thawte is doing
now, or what Bruce Perens was hinting in the thread: "Seeking
officers for Free-software-friendly CA." Anyway, he would have to
set up his operation outside USA to avoid RSA patents.
Having one or two serious[1] alternatives to Verisign that are
supported by the community would IMO be a lot better than having a
bunch of more or less unreliable CA's that can't be trusted (In a
way I suppose you shouldn't really trust Verisign and the other CA's
that are preloaded into browsers either, but you just can't expect
the average joe luser to choose wether to trust a root CA or not.)
[1] serious as in something with well defined policies, secure
hosting and with a certain amount of liability.
vh
Mads Toftum, QDPH
--
Cynic, n.:
A blackguard whose faulty vision sees things as they are, not
as they ought to be. Hence the custom among the Scythians of plucking
out a cynic's eyes to improve his vision.
-- Ambrose Bierce, "The Devil's Dictionary"
smime.p7s