[OpenID] Logging in problem

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Mon Dec 15 23:50:35 UTC 2008 

On 12/16/2008 01:11 AM, Peter Williams:
>
> Oh, it’s got just so much so very more interesting!
>

I really, really don't want to get into this here....but a few hints 
nevertheless ;-)

>
> On looking into this with trivial effort (far below the level of 
> reasonableness of a security professional) :-
>
> "Note that certificate authorities whose certificates are included in 
> this package are not in any way audited for trustworthiness and RFC 
> 3647 compliance, and that full responsibility to assess them rests 
> with the user."
>
> [http://packages.debian.org/etch/ca-certificates]
>

They added this disclaimer after we almost succeeded in getting a 
friends hobby CA certificate included about two years ago. The 
maintainer apparently realized it and removed the bug - and added this 
disclaimer.


> Now, yesterday the CA parties on whom the election software was 
> configured to rely may have been (though strangely, Eddy CA's is also 
> reputed to have worked:)
>

Because it's in the Mozilla builtin CA certificates.

> Now, don’t I recall Eddy recommend (as a purported member, and 
> claiming Nominator of a Candidate) that CA.Cert is not a body the 
> Foundation would really want to associate to closely with -- let alone 
> be partly responsible for  the integrity of its election process?
>
> " Give me a break....not going to argue here at OpenID about the use 
> of CAcert, but it's basically crap! Not even worth the digital paper 
> those certs are issued on. And their relying parties agreement is 
> worse than anything else I've seen in this industry so far. Even worse 
> than VeriSign! Neither does CAcert represent Open Source (sick) nor 
> anything open at all. Read their subscriber agreement, my friend, 
> educate yourself!" 
> [http://openid.net/pipermail/general/2008-December/006831.html]
>
>

Here some hints for the interested. Check out 
blog.CAcert.org/2008/09/327.html and quoting from 
wiki.cacert.org/wiki/PolicyDrafts/FAQ:

    ...where as in CAcert's Community, only members are permitted to be
    relying parties. For us, the net users are covered in the NRP-DaL
    and are permitted to USE not RELY.

Therefore, do what you think is best for the foundation.


Regards
Signer: 	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Phone: 	+1.213.341.0390

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081216/ce006abd/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081216/ce006abd/attachment-0002.bin>

More information about the general mailing list