[OpenID] Logging in problem
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Mon Dec 15 23:50:35 UTC 2008
On 12/16/2008 01:11 AM, Peter Williams:
>
> Oh, it’s got just so much so very more interesting!
>
I really, really don't want to get into this here....but a few hints
nevertheless ;-)
>
> On looking into this with trivial effort (far below the level of
> reasonableness of a security professional) :-
>
> "Note that certificate authorities whose certificates are included in
> this package are not in any way audited for trustworthiness and RFC
> 3647 compliance, and that full responsibility to assess them rests
> with the user."
>
> [http://packages.debian.org/etch/ca-certificates]
>
They added this disclaimer after we almost succeeded in getting a
friends hobby CA certificate included about two years ago. The
maintainer apparently realized it and removed the bug - and added this
disclaimer.
> Now, yesterday the CA parties on whom the election software was
> configured to rely may have been (though strangely, Eddy CA's is also
> reputed to have worked:)
>
Because it's in the Mozilla builtin CA certificates.
> Now, don’t I recall Eddy recommend (as a purported member, and
> claiming Nominator of a Candidate) that CA.Cert is not a body the
> Foundation would really want to associate to closely with -- let alone
> be partly responsible for the integrity of its election process?
>
> " Give me a break....not going to argue here at OpenID about the use
> of CAcert, but it's basically crap! Not even worth the digital paper
> those certs are issued on. And their relying parties agreement is
> worse than anything else I've seen in this industry so far. Even worse
> than VeriSign! Neither does CAcert represent Open Source (sick) nor
> anything open at all. Read their subscriber agreement, my friend,
> educate yourself!"
> [http://openid.net/pipermail/general/2008-December/006831.html]
>
>
Here some hints for the interested. Check out
blog.CAcert.org/2008/09/327.html and quoting from
wiki.cacert.org/wiki/PolicyDrafts/FAQ:
...where as in CAcert's Community, only members are permitted to be
relying parties. For us, the net users are covered in the NRP-DaL
and are permitted to USE not RELY.
Therefore, do what you think is best for the foundation.
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081216/ce006abd/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081216/ce006abd/attachment-0002.bin>
More information about the general
mailing list