[OpenID] Rule of thumb

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Jul 13 16:42:37 UTC 2007 

Hi John,

John Wang wrote:
> On 7/13/07, *Eddy Nigg (StartCom Ltd.)* <eddy_nigg at startcom.org 
> <mailto:eddy_nigg at startcom.org>> wrote:
>
>     Yes, there is something wrong with it and you should ask yourself,
>     why CAcert isn't in any browser at all....just ask the Mozilla
>     folks about it...If you need digital certification for
>     low-assurance and encryption purpose only you can get them for
>     free from StartCom: http://cert.startcom.org/ (Class 1, one year
>     valid).
>
>
> Thanks for mentioning StartCom, Eddy. I haven't looked at TLS/SSL 
> certs in a while, this is new and welcome to me.
I thought that to be already common knowledge ;-)
> As for why CAcert isn't a browser, I figured there was an artificial 
> linkage between encryption and trust in TLS/SSL that doesn't need to 
> be there, except that's how the technology and user acceptance 
> matured. I'm not sure whether the issue is more that CAcert is doing 
> something wrong or that TLS/SSL matured differently than it could 
> have. A hypothetical question is whether it's wrong to have the 
> browser pre-trust any CA for their users?
Most browsers have very similar conditions for shipping a certain CA 
root in their software by default. You might have a look at 
http://www.mozilla.org/projects/security/certs/policy/ in order to 
understand what they are (very reasonable and not too difficult to 
understand). Now CAcert, as a community driven web-of-trust scheme "CA", 
can't meet the basic requirements. In that respect a user should judge 
carefully if he wants to trust a certain CA - which isn't something 
everyone browsing the Internet can really understand without an 
investment in time and certain knowledge. But CAs built into the browser 
(and other software) meet the requirements put forward by the software 
vendor. Most likely that for most users, these checks and conditions put 
forward by the software vendor are sufficient!
>
> I haven't looked into Mozilla's specific reasons for excluding CAcert 
> but assuming the reason can be generalized, if there is something 
> wrong with CAcert, then could the same reasoning be used for many IDPs?
Yes, I think so! This is one of the things I suggested many times 
already, so I don't think that IDPs have to meet the same requirements 
as for CAs. But certainly the relying party (in the OpenID world the web 
site operators of Forums, Blogs etc.) needs to be sure, that the IDPs he 
wants to trust conform to a minimal standard and basic requirements (of 
operation). David from Verisign suggested, that "some" third party 
organizations will perform these services (as for example Webtrust does 
for CAs), however I'd certainly prefer that to be something which would 
come from the OpenID community itself. Or in other words, I think some 
of us should come together and found/operate this service. This perhaps 
would allow most sincere IDP operators to perform and provide their 
service as OpenID providers, only shutting out the ones which would be 
used for spam and other fraudulent use.

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070713/6b7fd9af/attachment-0002.htm>

More information about the general mailing list