[OpenID] Rule of thumb

[John Wang]

On 7/13/07, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:
>
>  John Wang wrote:
>
> In the PKI world, the mega-CAs are embedded in the browsers that
> automatically trust those CAs on behalf of the users, with most users not
> even realizing the browser ISV is making a trust decision for them. I've
> been wondering if there's anything wrong with CAs like CAcert that provide
> free certs to just provide encryption, as opposed to authentication. I see
> mega-IDPs like mega-CAs and do-it-yourself IDPs like CAcert.
>
> Yes, there is something wrong with it and you should ask yourself, why
> CAcert isn't in any browser at all....just ask the Mozilla folks about
> it...If you need digital certification for low-assurance and encryption
> purpose only you can get them for free from StartCom:
> http://cert.startcom.org/ (Class 1, one year valid).
>

Thanks for mentioning StartCom, Eddy. I haven't looked at TLS/SSL certs in a
while, this is new and welcome to me. As for why CAcert isn't a browser, I
figured there was an artificial linkage between encryption and trust in
TLS/SSL that doesn't need to be there, except that's how the technology and
user acceptance matured. I'm not sure whether the issue is more that CAcert
is doing something wrong or that TLS/SSL matured differently than it could
have. A hypothetical question is whether it's wrong to have the browser
pre-trust any CA for their users?

I haven't looked into Mozilla's specific reasons for excluding CAcert but
assuming the reason can be generalized, if there is something wrong with
CAcert, then could the same reasoning be used for many IDPs?

-- 
John Wang
http://www.dev411.com/blog/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070713/e55024d2/attachment-0001.htm>