Re: Verisign/NSI/Thawte monopoly

2000-03-31 Thread Michal Trojnara

Odpowiedz automatyczna:

Do 31 marca jestem na szkoleniu.
W pilnych sprawach prosze o kontakt z Romanem Iwanickim.

Z powazaniem,
Michal Trojnara

>>> "[EMAIL PROTECTED]" 03/31/00 19:21 >>>

hi,
On Fri, 31 Mar 2000, Mark H. Wood wrote:
> On Thu, 30 Mar 2000 [EMAIL PROTECTED] wrote:
> > You missed my point.  Read on...
> > 
> > >   b) Certificates authenticate that the person is who they say they
> > >  are.
hmmm... i have always thought the Certs from CA simply say yeah we know 
about them.. sort of like a community string in snmp is all and well acts 
as a "trusted 3rd party" that is if you believe that..;-))
> > > Trust goes to trusting that second statement, not the trustworthiness
> > > of the company behind the statement.
> > > 
> > 
> > People in general presume that when they see the little key that they are
> > dealing with a "bonified" business.  Yes, I know that the certification
> > process does not do this.  And since it doesn't do this it isn't worth
> > much.
all it does is allow for triangulation in a 'more trusting way;
> Now I am surprised.  The key only means that you have a reasonably secure
> channel to an unknown endpoint.  Do lots of people really believe that it
> means any more than that?  That is frightening.
just saw that on a morning show where someone focused on the security of 
128 bit DES and the diff of guessing that on  SSL rather than on anything..
else but this is par for the course. as well have always thought that the 
man in the middle attack would not need to come from the void rather from
the 'trusted 3rd party" but that is for another day ..
> -- 
> Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
> "Where's the kaboom?  There was supposed to be an Earth-shattering kaboom!"
>-- Marvin Martian, 01/01/2000 00:00:00
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
-- 
___

** DREAMWVR.COM - TOTAL INTERNET SERVICES 
TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..

DREAMWVR.COM - The Console of Many... 90 Topics Covered
 
->> LINUX-MANDRAKE Solution Provider and North American Distributor <<-
PRODUCT OF THE YEAR!

"===0 PGP Key Available 
*** "As Unique as the Company You Keep." *
"If anyone speaks from DREAMWVR.COM its certainly not me:-)"


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Verisign/NSI/Thawte monopoly

2000-03-31 Thread dreamwvr

hi,
On Fri, 31 Mar 2000, Mark H. Wood wrote:
> On Thu, 30 Mar 2000 [EMAIL PROTECTED] wrote:
> > You missed my point.  Read on...
> > 
> > >   b) Certificates authenticate that the person is who they say they
> > >  are.
hmmm... i have always thought the Certs from CA simply say yeah we know 
about them.. sort of like a community string in snmp is all and well acts 
as a "trusted 3rd party" that is if you believe that..;-))
> > > Trust goes to trusting that second statement, not the trustworthiness
> > > of the company behind the statement.
> > > 
> > 
> > People in general presume that when they see the little key that they are
> > dealing with a "bonified" business.  Yes, I know that the certification
> > process does not do this.  And since it doesn't do this it isn't worth
> > much.
all it does is allow for triangulation in a 'more trusting way;
> Now I am surprised.  The key only means that you have a reasonably secure
> channel to an unknown endpoint.  Do lots of people really believe that it
> means any more than that?  That is frightening.
just saw that on a morning show where someone focused on the security of 
128 bit DES and the diff of guessing that on  SSL rather than on anything..
else but this is par for the course. as well have always thought that the 
man in the middle attack would not need to come from the void rather from
the 'trusted 3rd party" but that is for another day ..
> -- 
> Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
> "Where's the kaboom?  There was supposed to be an Earth-shattering kaboom!"
>-- Marvin Martian, 01/01/2000 00:00:00
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
-- 
___

** DREAMWVR.COM - TOTAL INTERNET SERVICES 
TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..

DREAMWVR.COM - The Console of Many... 90 Topics Covered
 
->> LINUX-MANDRAKE Solution Provider and North American Distributor <<-
PRODUCT OF THE YEAR!

"===0 PGP Key Available 
*** "As Unique as the Company You Keep." *
"If anyone speaks from DREAMWVR.COM its certainly not me:-)"


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Verisign/NSI/Thawte monopoly

2000-03-31 Thread Richard Levitte - VMS Whacker

mwood> Now I am surprised.  The key only means that you have a
mwood> reasonably secure channel to an unknown endpoint.  Do lots of
mwood> people really believe that it means any more than that?  That
mwood> is frightening.

You wouldn't believe what J. Random Luser can believe...

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
   Member of the OpenSSL development team

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Verisign/NSI/Thawte monopoly

2000-03-31 Thread Mark H. Wood

On Thu, 30 Mar 2000 [EMAIL PROTECTED] wrote:
> You missed my point.  Read on...
> 
> >   b) Certificates authenticate that the person is who they say they
> >  are.
> > 
> > Trust goes to trusting that second statement, not the trustworthiness
> > of the company behind the statement.
> > 
> 
> People in general presume that when they see the little key that they are
> dealing with a "bonified" business.  Yes, I know that the certification
> process does not do this.  And since it doesn't do this it isn't worth
> much.

Now I am surprised.  The key only means that you have a reasonably secure
channel to an unknown endpoint.  Do lots of people really believe that it
means any more than that?  That is frightening.

-- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
"Where's the kaboom?  There was supposed to be an Earth-shattering kaboom!"
 -- Marvin Martian, 01/01/2000 00:00:00

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Verisign/NSI/Thawte monopoly

2000-03-31 Thread Mark H. Wood

On Thu, 30 Mar 2000, Thomas Reinke wrote:
> [EMAIL PROTECTED] wrote:
> > So it seems to me that while the cert may certify that said organization
> > is who they say they are - nobody seems to ask if who they say they are
> > has any relevance to anything.
> 
> [snip]
> 
> Look back to the problem it is solving
>   a) SSL makes sure no-one can intercept communications meant to be
>  private
>   b) Certificates authenticate that the person is who they say they
>  are.

???  This is not a statement of a problem.  What is the problem that is
solved by these properties, and how does that relate to a problem that
someone actually wants to solve?

> Trust goes to trusting that second statement, not the trustworthiness
> of the company behind the statement.

If we don't trust the CA, why should we trust the cert.s that it issues?
What basis would we have for trusting A's certification that a certificate
asserting that it belogs to B was in fact issued to B, other than to trust
that A has diligently investigated the requestor's claims and met our
standards for establishing that that person is in fact B?

-- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
"Where's the kaboom?  There was supposed to be an Earth-shattering kaboom!"
 -- Marvin Martian, 01/01/2000 00:00:00

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Verisign/NSI/Thawte monopoly

2000-03-30 Thread terr



You missed my point.  Read on...

>   b) Certificates authenticate that the person is who they say they
>  are.
> 
> Trust goes to trusting that second statement, not the trustworthiness
> of the company behind the statement.
> 

People in general presume that when they see the little key that they are
dealing with a "bonified" business.  Yes, I know that the certification
process does not do this.  And since it doesn't do this it isn't worth
much.

>  Getting a bank account is just as trivial and does NOT add anything
> to the value of the trustworthiness of the company. It just says that
> (in your example) that the fraudster went with a piece of ID such as
> a birth certificate, drivers license (again easily duplicated) and
> his company papers and opened up an account for that company.

It SURE IS worth something.  Banks have filing requirments and they
generally KNOW their customers.  Furthermore there are a number of credit
reporting agencies affiliated and you can contact a number of them and get
credit information before you deal with the company.  

But I think you sort of made my point here - if the bank - which generally
KNOWS its customers - doesn't provide much of anything in the way of
saying anything about the "legitimacy" of a business, then a cert from any
of the present CA's says even less.  You note tht the bank is not in the
position of charging you several hundered per year for your bank account
number.  Verisign is exactly in this position and is doing it.

Furthermore - if you bill over the internet via say VISA or pretty much
ANY credit card for that matter - the banks will require you to deposit
sufficient funds so that if there is ANY dispute over whether the
transaction is legitimate - then YOU, as the MERCHANT, carry full
responsibility and the customer need only complain and ask for his money
returned.

And if you end up with a sizeable number of chargebacks I can assure you
that your merchant VISA account will be cancelled.  So there is
accountability imposed by the banking side of the e-commerse system.

To put it succintly - if you have a merchant VISA account and can bill via
the net - this means something - and in fact the merchant VISA number
which shows up on your visa bill is a GOOD measure of authenticity.

Anyone can get Verisign to issue a cert - but the standards for a merchant
account aren't quite so simple.



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Verisign/NSI/Thawte monopoly

2000-03-30 Thread Thomas Reinke



[EMAIL PROTECTED] wrote:

> 
> So it seems to me that while the cert may certify that said organization
> is who they say they are - nobody seems to ask if who they say they are
> has any relevance to anything.

[snip]

Look back to the problem it is solving
  a) SSL makes sure no-one can intercept communications meant to be
 private
  b) Certificates authenticate that the person is who they say they
 are.

Trust goes to trusting that second statement, not the trustworthiness
of the company behind the statement.

> 
> =
> 

[snip]

> 
> Or to put it another way - I do business and I deal with my bank for
> instance.  I trust my bank...  and I would be quite happy if my bank
> issued a cert for me to use that authenticates that my company is a good
> corporate citizen and in good standing with the bank at least.  A cert
> from my bank would mean something.  A cert from Thawte does not and
> neither does a cert from Verisign.  Since my bank for instance would be
> considered probably by the vast majority of customers to be a far more
> reliable measure of e-commerce trustworthiness, why should my bank be
> forced into the situation of having to fork over hundred's of thousands or
> even millions for literally NOTHING... if it wants to issue a cert?

 Getting a bank account is just as trivial and does NOT add anything
to the value of the trustworthiness of the company. It just says that
(in your example) that the fraudster went with a piece of ID such as
a birth certificate, drivers license (again easily duplicated) and
his company papers and opened up an account for that company.

> 
> This is a ransom fee and little more.
> 
> =
> 
> I think it is quite germain to us who develope the keys that enable
> internet commerce and security to look at the broader issue of who
> controls and profits from the technology we develop.
> 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-29 Thread David

Err   Verisign bought Thawte last year :)

At 09:45 pm 28/03/00, you wrote:
>Gee,
>
>Before I get flamed for the Subject:
>Of course, Verisign and Thawte are American and South African
>companies, so cannot be a monopoly(Two American companies
>doing this likely would), and of course NSI, the major marketer of
>Versign certs, is a registrar for domains, and this cannot be
>considered as a monopoly either.
>
>First I've heard any comments on the list, and I've been listening for
>a while now.
>
>You may want to check out the project forming at
>http://www.freecert.org
>
>Bill Laakkonen
>
>On 28 Mar 00, at 10:30, Tariq Habib wrote:
>
> > I fully support your point of view.
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > [EMAIL PROTECTED]
> > > Sent: Tuesday, March 28, 2000 5:20 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Verisign
> > >
> > >
> > > I just found out that Verising has aquired NSI.  A short while back they
> > > aquired Thawte .
> > >
> > >
> > >
> > > I think some of us should be looking into ways to get certs from a "real"
> > > competitor to Verisign recognized by IE and Netscape.
> > >
> > > I know that netscape allows easy importation of a cert and that IE is a
> > > bit of a bugger - but for the vast majority of the great unwashed public
> > > they need a "clean" simple and brain-dead solution or they will continue
> > > to go with the flow.
> > >
> > > Consentration of economic power like we see in Verisign at this point is
> > > NEVER healthy - or am I overreacting?
> > >
> > >
> > >
> > >
> > > __
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List[EMAIL PROTECTED]
> > > Automated List Manager   [EMAIL PROTECTED]
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> >
>
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread Michal Trojnara

Odpowiedz automatyczna:

Do 31 marca jestem na szkoleniu.
W pilnych sprawach prosze o kontakt z Romanem Iwanickim.

Z powazaniem,
Michal Trojnara

>>> "[EMAIL PROTECTED]" 03/29/00 04:45 >>>

Hi,

Take a look at http://www.openca.org



Sam Stern, Bethesda, MD, USA


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of dreamwvr
> Sent: Tuesday, March 28, 2000 6:18 PM
> To: [EMAIL PROTECTED]; Hostmaster; [EMAIL PROTECTED]
> Subject: RE: Verisign/NSI/Thawte monopoly
>
>
> hi,
>   IMHO someone should create a central trusted CA that is
> open sourced for
> all to trust however that would take some doing..;-))
> ..anyone interested:-))
> On Tue, 28 Mar 2000, Hostmaster wrote:
> > There is no governing body that I am aware of. Is it to be yet
> > another Amercian led thing? That is what got things to the state
> > they're in now.
> >
> > Also, what would be an appropriate list to discuss these
> things, if
> > not openssl-users?
> >
> > Bill Laakkonen
> > www.im1.net
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > >
> > > It's time to have some kind of governing body
> > > to force the browser makers include all accredited
> > > CA's in the list of automatically trusted CA's.
> > > Not the ones that pay them big $$$.
> > >
> >
> >
> 
> __
> > OpenSSL Project
http://www.openssl.org
> User Support Mailing List
[EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
--
__
_

** DREAMWVR.COM - TOTAL INTERNET SERVICES 
TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..
<http://www.dreamwvr.com/services/MAX_SEC.html>
DREAMWVR.COM - The Console of Many... 90 Topics Covered
<http://www.dreamwvr.com/dynamicduo.html>
<mailto:[EMAIL PROTECTED]>
->> LINUX-MANDRAKE Solution Provider and North American Distributor
<<-
PRODUCT OF THE YEAR!
<http://www.dreamwvr.com/mandrake/mandrake-main.html>
"===0 PGP Key Available
*** "As Unique as the Company You Keep." *
"If anyone speaks from DREAMWVR.COM its certainly not me:-)"
__
__

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread terr

I looked closely into purchasing a cert from Thawte and it is still
something WE'll have to do.  What strikes me though is that it seems to me
that there is no real value in such a thing.

I can for instance incorporate a company and shell out about $200 and get
my cert.  After that everyone trusts me.  Total cost is oh about $500 or
so if I do the incorportion myself.  This is pretty trivial actually.

I could be in jail for FRAUD and still get a cert.


So it seems to me that while the cert may certify that said organization
is who they say they are - nobody seems to ask if who they say they are
has any relevance to anything.  

I fact - I'll bet I can go down to our local government offices in Canada
and register Ajax Web Contractors and then send a cert request on to
Thawte and since Ajax now exists and is legitamately registered as say a
"sole proprietorship" - the cert will be issued.

Last time I registered a "sole proprietorship" it cost me $5.00 and I
don't recall them asking for ID.

The problem of course is that a chain is only as strong as its weakest
link and the threads that bind cert security together appear really
tenuous to me.

=

That having been said - we have a very practical problem on our hands.
Microsoft saw fit to include a very LIMITED number of cert issuing
authorities in IE and the majority of people use IE.  IMHO there IS no
security in a windows system anyway and precious little in the fact that
somebody issued said cert to said fly-by-night ecommerce organization.
Still - people want to see the little key-lock on and certain commercial
interests know this and are busy purchasing the key players in the
interest of milking cyberspace - with I might add - little consern as to
the INTENT of a certification process.

I therefore see no moral reasons why we just don't go into IE and patch a
few files to introduce a few new players.  

I suspect there will be a moral outcry over such a suggestion but the
other alternative seems to be for each of us who has an e-commerce
interest - to quietly hand over to some wealthy American interests a
ransom for the priviledge of doing e-commerce.

Or to put it another way - I do business and I deal with my bank for
instance.  I trust my bank...  and I would be quite happy if my bank
issued a cert for me to use that authenticates that my company is a good
corporate citizen and in good standing with the bank at least.  A cert
from my bank would mean something.  A cert from Thawte does not and
neither does a cert from Verisign.  Since my bank for instance would be
considered probably by the vast majority of customers to be a far more
reliable measure of e-commerce trustworthiness, why should my bank be
forced into the situation of having to fork over hundred's of thousands or
even millions for literally NOTHING... if it wants to issue a cert?  

This is a ransom fee and little more.

=

I think it is quite germain to us who develope the keys that enable
internet commerce and security to look at the broader issue of who
controls and profits from the technology we develop.  

 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread Kevin Evans

On Tuesday, March 28, 2000 at 04:18:15 PM, [EMAIL PROTECTED] wrote:

> hi,
>   IMHO someone should create a central trusted CA that is open sourced for 
> all to trust however that would take some doing..;-)) ..anyone interested:-))

I'm game for putting in some time/effort - but I think you're possibly underestimating 
the sheer volume of work that would go into creating a CA that *everyone* would trust. 

You'd have to do an awful lot of verification work on each and every cert (personal or 
server) before anyone trusted you... let alone all of them.

That said... if someone has an idea of how to do this and make it work, count me in. :)

Kevin


 
Kevin Evans | [EMAIL PROTECTED] 
 
A government big enough to give you everything you want is a
government big enough to take from you everything that you have.
--- Gerald Ford
 
#!/bin/perl -sp0777ihttp://www.thewalledcity.net/


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread Sam Stern

Hi,

Take a look at http://www.openca.org



Sam Stern, Bethesda, MD, USA


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of dreamwvr
> Sent: Tuesday, March 28, 2000 6:18 PM
> To: [EMAIL PROTECTED]; Hostmaster; [EMAIL PROTECTED]
> Subject: RE: Verisign/NSI/Thawte monopoly
>
>
> hi,
>   IMHO someone should create a central trusted CA that is
> open sourced for
> all to trust however that would take some doing..;-))
> ..anyone interested:-))
> On Tue, 28 Mar 2000, Hostmaster wrote:
> > There is no governing body that I am aware of. Is it to be yet
> > another Amercian led thing? That is what got things to the state
> > they're in now.
> >
> > Also, what would be an appropriate list to discuss these
> things, if
> > not openssl-users?
> >
> > Bill Laakkonen
> > www.im1.net
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > >
> > > It's time to have some kind of governing body
> > > to force the browser makers include all accredited
> > > CA's in the list of automatically trusted CA's.
> > > Not the ones that pay them big $$$.
> > >
> >
> >
> 
> __
> > OpenSSL Project
http://www.openssl.org
> User Support Mailing List
[EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
--
__
_

** DREAMWVR.COM - TOTAL INTERNET SERVICES 
TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..
<http://www.dreamwvr.com/services/MAX_SEC.html>
DREAMWVR.COM - The Console of Many... 90 Topics Covered
<http://www.dreamwvr.com/dynamicduo.html>
<mailto:[EMAIL PROTECTED]>
->> LINUX-MANDRAKE Solution Provider and North American Distributor
<<-
PRODUCT OF THE YEAR!
<http://www.dreamwvr.com/mandrake/mandrake-main.html>
"===0 PGP Key Available
*** "As Unique as the Company You Keep." *
"If anyone speaks from DREAMWVR.COM its certainly not me:-)"
__
__

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread Michal Trojnara

Odpowiedz automatyczna:

Do 31 marca jestem na szkoleniu.
W pilnych sprawach prosze o kontakt z Romanem Iwanickim.

Z powazaniem,
Michal Trojnara

>>> "[EMAIL PROTECTED]" 03/29/00 01:18 >>>

hi,
  IMHO someone should create a central trusted CA that is open sourced for 
all to trust however that would take some doing..;-)) ..anyone interested:-))
On Tue, 28 Mar 2000, Hostmaster wrote:
> There is no governing body that I am aware of. Is it to be yet 
> another Amercian led thing? That is what got things to the state 
> they're in now. 
> 
> Also, what would be an appropriate list to discuss these things, if 
> not openssl-users? 
> 
> Bill Laakkonen
> www.im1.net
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > 
> > It's time to have some kind of governing body
> > to force the browser makers include all accredited
> > CA's in the list of automatically trusted CA's.
> > Not the ones that pay them big $$$.
> > 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
-- 
___

** DREAMWVR.COM - TOTAL INTERNET SERVICES 
TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..

DREAMWVR.COM - The Console of Many... 90 Topics Covered
 
->> LINUX-MANDRAKE Solution Provider and North American Distributor <<-
PRODUCT OF THE YEAR!

"===0 PGP Key Available 
*** "As Unique as the Company You Keep." *
"If anyone speaks from DREAMWVR.COM its certainly not me:-)"


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread dreamwvr

hi,
  IMHO someone should create a central trusted CA that is open sourced for 
all to trust however that would take some doing..;-)) ..anyone interested:-))
On Tue, 28 Mar 2000, Hostmaster wrote:
> There is no governing body that I am aware of. Is it to be yet 
> another Amercian led thing? That is what got things to the state 
> they're in now. 
> 
> Also, what would be an appropriate list to discuss these things, if 
> not openssl-users? 
> 
> Bill Laakkonen
> www.im1.net
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > 
> > It's time to have some kind of governing body
> > to force the browser makers include all accredited
> > CA's in the list of automatically trusted CA's.
> > Not the ones that pay them big $$$.
> > 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
-- 
___

** DREAMWVR.COM - TOTAL INTERNET SERVICES 
TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..

DREAMWVR.COM - The Console of Many... 90 Topics Covered
 
->> LINUX-MANDRAKE Solution Provider and North American Distributor <<-
PRODUCT OF THE YEAR!

"===0 PGP Key Available 
*** "As Unique as the Company You Keep." *
"If anyone speaks from DREAMWVR.COM its certainly not me:-)"


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread Hostmaster

There is no governing body that I am aware of. Is it to be yet 
another Amercian led thing? That is what got things to the state 
they're in now. 

Also, what would be an appropriate list to discuss these things, if 
not openssl-users? 

Bill Laakkonen
www.im1.net

> -BEGIN PGP SIGNED MESSAGE-
> 
> It's time to have some kind of governing body
> to force the browser makers include all accredited
> CA's in the list of automatically trusted CA's.
> Not the ones that pay them big $$$.
> 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Verisign/NSI/Thawte monopoly

2000-03-28 Thread Michael Sierchio

[EMAIL PROTECTED] wrote:
> 
> Gee,
> 
> Before I get flamed for the Subject:
> Of course, Verisign and Thawte are American and South African
> companies, so cannot be a monopoly

You are not well informed on the subject of law in the EU or US.
A merger, acquisition or other alliance that does or has the potential
to significantly reduce competition falls under numerous statutes.

The fact that these companies are registered in different countries
is irrelevant -- where they sell their products is what counts.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread Geoff Thorpe

Hi there,

>It's time to have some kind of governing body
>to force the browser makers include all accredited
>CA's in the list of automatically trusted CA's.
>Not the ones that pay them big $$$.

Only if they also ensure that the CAs also pass some level of periodic
audit-review to ensure they're worthy of "assumed trustworthiness" by the
millions of unwitting dupes out there ... namely us, the browser users.

Without such an *international* standards mechanism in place (this should
not be another US-controlled thing IMHO), *no* CAs should be installed by
default, after all - if the CA hasn't been validated by some public body as
worthy of issuing certificates of identity (or corporation, or whatever)
then it is only superior to my own cooked up CA by way of its size, PR, and
operational capacity (it can blindly stamp certificates at a greater rate
per hour than I can). Hence, without any such independant review, their CA
cert deserves to be embedded in the browser no more than mine does.

So the question is not so much "who else deserves to have a CA cert
included in the browser", but rather "do the CA certs embedded in the
browser deserve to be there". There's a subtle but salient distinction.

You're certainly right that getting a CA cert embedded in the browsers
through an exchange of funds is highly unethical ... bundling audio-visual
tools, ISP service promotions, etc is a pain, but that's business and you
can understand that - even if it's annoying. However, a browser's handling
of security, and certification in particular, is an issue that begins to
touch on areas of civil-liberties, privacy, trade-secrets, law (eg.
digitial signature legislation, credit-card fraud), and perhaps (for the
first time I have ever found it acceptable to use this phrase) "national
security". On reflection of that, buying a place in the trusted root cert
repository is a highly immoral, unethical, and corrupt process. After all,
for 99.9% of the populus, the embedded CA certs in their browser are
effectively the "arbiters of identity" on the Internet ... a dubious role
for private software companies to just be handing out to the highest bidders.

Just my $0.02 worth ... (which will *not* buy my way into those root cert
stores, but then the current quality of browser security does not provide
too many obstacles to me forcing its way in there anyway). :-)

Cheers,
Geoff


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread Salz, Rich

This is way off-topic, but:

>force the browser makers include all accredited CA's in the list

Please define "accredited CA"

But somewhere else, not this list. :)
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread Paul Khavkine

-BEGIN PGP SIGNED MESSAGE-

It's time to have some kind of governing body
to force the browser makers include all accredited
CA's in the list of automatically trusted CA's.
Not the ones that pay them big $$$.

Cheers
Paul

On Tue, 28 Mar 2000, you wrote:
> Gee,
> 
> Before I get flamed for the Subject:
> Of course, Verisign and Thawte are American and South African 
> companies, so cannot be a monopoly(Two American companies 
> doing this likely would), and of course NSI, the major marketer of 
> Versign certs, is a registrar for domains, and this cannot be 
> considered as a monopoly either. 
> 
> First I've heard any comments on the list, and I've been listening for 
> a while now. 
> 
> You may want to check out the project forming at 
> http://www.freecert.org
> 
> Bill Laakkonen
> 
> On 28 Mar 00, at 10:30, Tariq Habib wrote:
> 
> > I fully support your point of view. 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > [EMAIL PROTECTED]
> > > Sent: Tuesday, March 28, 2000 5:20 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Verisign
> > > 
> > > 
> > > I just found out that Verising has aquired NSI.  A short while back they
> > > aquired Thawte .
> > > 
> > > 
> > > 
> > > I think some of us should be looking into ways to get certs from a "real"
> > > competitor to Verisign recognized by IE and Netscape.
> > > 
> > > I know that netscape allows easy importation of a cert and that IE is a
> > > bit of a bugger - but for the vast majority of the great unwashed public
> > > they need a "clean" simple and brain-dead solution or they will continue
> > > to go with the flow.  
> > > 
> > > Consentration of economic power like we see in Verisign at this point is
> > > NEVER healthy - or am I overreacting?
> > > 
> > > 
> > > 
> > > 
> > > __
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List[EMAIL PROTECTED]
> > > Automated List Manager   [EMAIL PROTECTED]
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> > 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
- -- 
*
 Paul Khavkine  
 Tucows International Corp.
 96 Mowat Avenue
 Toronto, Ontario
 M6K 3M1
 [EMAIL PROTECTED]
 ICQ: 8882921

 PGP Key:
 Type Bits/KeyID Date   User ID
 pub  2048/D467B527  1999/04/12 Paul Khavkine <[EMAIL PROTECTED]>
 Key fingerprint = 33 92 6A 87 23 81 3F 44 5A 7D F3 8F 03 CE 2D 60



-BEGIN PGP SIGNATURE-
Version: 2.6.3i
Charset: noconv

iQEVAwUBOODiTVj6i6zUZ7UnAQFRNgf+MSxj9u9GdGLm6TpUXsMHyemvN2WIQdcQ
UpAtcJF3aBaF0HQplK+/UfS2ChcpEMRhNo/RtjgIpyTjdHn0R+609goXUpMB/jaE
Ihoi9XL8KytxVMBWx3uyqauh2v5pAfylfkg1zu49WC91N7DmkuXKwVDZDM7C+68V
zc9wLeXd3M2HkWQKCQsLuW2yuVS2oBgX+Pkjsxi/kEv5aTDCNAcoFZ4iF53uL2Sv
JVugA76jk9zt4vU8e5pRq8fnWZx7pzzMx6nlLxZBCTy2nKk2zh/rvQcJtWORabwv
LChQGnt+nNbKMkCBAPdFCbqbeyJvJrq+d2Jx4WvVTKFypWGb9nqELA==
=RYkF
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Verisign/NSI/Thawte monopoly

2000-03-28 Thread hostmaster

Gee,

Before I get flamed for the Subject:
Of course, Verisign and Thawte are American and South African 
companies, so cannot be a monopoly(Two American companies 
doing this likely would), and of course NSI, the major marketer of 
Versign certs, is a registrar for domains, and this cannot be 
considered as a monopoly either. 

First I've heard any comments on the list, and I've been listening for 
a while now. 

You may want to check out the project forming at 
http://www.freecert.org

Bill Laakkonen

On 28 Mar 00, at 10:30, Tariq Habib wrote:

> I fully support your point of view. 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Tuesday, March 28, 2000 5:20 AM
> > To: [EMAIL PROTECTED]
> > Subject: Verisign
> > 
> > 
> > I just found out that Verising has aquired NSI.  A short while back they
> > aquired Thawte .
> > 
> > 
> > 
> > I think some of us should be looking into ways to get certs from a "real"
> > competitor to Verisign recognized by IE and Netscape.
> > 
> > I know that netscape allows easy importation of a cert and that IE is a
> > bit of a bugger - but for the vast majority of the great unwashed public
> > they need a "clean" simple and brain-dead solution or they will continue
> > to go with the flow.  
> > 
> > Consentration of economic power like we see in Verisign at this point is
> > NEVER healthy - or am I overreacting?
> > 
> > 
> > 
> > 
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]