Re: [Discuss] free certs everywhere
On 12/23/2014 9:20 PM, Tom Metro wrote: The point stands that in the beginning, there weren't choices for cert levels. And as you point out, there were significant labor costs involved for what they did provide. So it would be illogical for someone to mandate that they give away that service. That's because what you call basic and extended verification are the same thing as far as X.509 PKI as designed is concerned. X.509 is an identity management specification. A CA issues you a certificate only after it has verified that you are who you say you are. In a government or commercial agency this would be tied to the hiring process. In an education setting it would be tied to the enrollment process. Issuing X.509 certificates without performing these so-called extended verifications is a failure to correctly implement X.509 PKI. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free certs everywhere
On 12/22/2014 10:43 PM, Tom Metro wrote: Probably a big reason this never happened is that when CAs were being established, all that existed were basic certs. The extended validation certs and other value added services were only thought up later. Once the industry was established, hard to correct for that lost opportunity. You have it backwards. The early certificate authorities like Thawte were all about identity verification. X.509 is not an encryption system; it uses encryption as a mechanism to prove identity. Getting a public certificate -- that is, a certificate from a CA in Netscape's trust storage -- back then was expensive and time-consuming since the handful of extant CAs bothered with things like background checks to ensure that certificate requests were valid. A CA didn't get listed in Netscape's trust storage if it didn't. The proliferation of cheap, minimally verified or unverified certificates is a product of the dot-com bubble which came several years later. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free certs everywhere
Richard Pieri wrote: Tom Metro wrote: Probably a big reason this never happened is that when CAs were being established, all that existed were basic certs. The early certificate authorities...were all about identity verification. ...the handful of extant CAs bothered with things like background checks to ensure that certificate requests were valid. Yes, exactly. Basic was the wrong choice of words, but they were basic in the sense that they didn't included the extended validation properties, which didn't exist then. And you're correct that the procedure for getting a basic cert then more closely resembled the verification procedures that exist today for extended validation certs. The point stands that in the beginning, there weren't choices for cert levels. And as you point out, there were significant labor costs involved for what they did provide. So it would be illogical for someone to mandate that they give away that service. -Tom -- Tom Metro The Perl Shop, Newton, MA, USA Predictable On-demand Perl Consulting. http://www.theperlshop.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free certs everywhere
Edward Ned Harvey (blu) wrote: If that argument holds, then *no* certificate authority should be able to charge for issuing certs. That's a good idea. No, seriously. It doesn't appear that a central organization holds sway over CAs, unlike they way ICANN rules over domain registries, but if there is such an organization, they could have mandated that the requirements for becoming a CA included that they offer free basic certs (but could charge what they like for more advanced certs and add-ons). If all CAs had to do this, the burden of providing basic certs would be spread evenly across the industry (or at least proportional to their respective marketing budgets). Unlike domains, there is an unlimited supply of certs. No need to create an artificial scarcity. As StartSSL proved, automation can vastly reduce the cost of supplying such certs. Probably a big reason this never happened is that when CAs were being established, all that existed were basic certs. The extended validation certs and other value added services were only thought up later. Once the industry was established, hard to correct for that lost opportunity. There is always the possibility that if free certs from Let's Encrypt CA[1] become popular and widely accepted, commercial CAs will see a significant loss in basic cert business, and choose to offer free certs as a loss-leader to get customers in the fold. 1. http://www.mail-archive.com/discuss%40blu.org/msg09949.html Gordon Marx wrote: Which is why the free cert, pay for revocation model makes so much sense -- signing a CSR takes a one-time hit of some tiny amount of CPU and bandwidth, whereas hosting an OCSP responder or equivalent takes a lot more money and effort. Cert revocation is hard, and when things are hard to do companies can often charge money to do them :--) Sure, but that's an artifact of the revocation infrastructure being poorly designed. Reality today, but it doesn't need to stay that way. (OCSP is comparatively the high tech way to do it, but by default I don't think any mainstream browser makes use of it (I have it enabled in my browsers). Due to stubbornness or belief that OCSP fails to adequately solve the problem (it does have issues), browsers stuck with unscalable certificate revocation lists (CRLs). Security Now spent an episode or two on current cert revocation tech and alternatives.) -Tom -- Tom Metro The Perl Shop, Newton, MA, USA Predictable On-demand Perl Consulting. http://www.theperlshop.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss