[OpenID] Rule of thumb

Peter Williams pwilliams at rapattoni.com
Fri Jul 13 19:22:45 UTC 2007 

CAcert Is not in a browser as one particular mega-CA trade association turned CAcert into a kick ball. They inappropriately used their influence to set the bar in the major browsers distribution so the very “category of’ open-source’ trust model” being pursued by CAcert is hindered - and can only fail to pass the bar. It’s shameful position for Mozilla to take, tho. quite an understandable decision by the likes of Apple, Opera and Microsoft and the phone companies (which are businesses).

 

If I use an all-too-recent  American history lesson: folks rig elections by setting reading standards that certain population groups cannot pass; they rig the schooling system so can cannot learn to read; they rig the bus system so one cannot get to school; they rig the food service outlets so you go hungry if you try; they rig the public toilet policy so you suffer, on long bus journeys;  they ensure there are no hotels for you to say mid trip; they set the vagrancy laws so folks without hotels are criminalized, etc. End process is, 100 years later, you still cannot read, and thus  vote for folks who have the power to change any of all that apparatus of oppression.

 

 

From: Eddy Nigg (StartCom Ltd.) [mailto:eddy_nigg at startcom.org] 
Sent: Friday, July 13, 2007 9:43 AM
To: John Wang
Cc: Peter Williams; OpenID - General
Subject: Re: [OpenID] Rule of thumb

 

Hi John,

John Wang wrote: 

On 7/13/07, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote: 

	Yes, there is something wrong with it and you should ask yourself, why CAcert isn't in any browser at all....just ask the Mozilla folks about it...If you need digital certification for low-assurance and encryption purpose only you can get them for free from StartCom: http://cert.startcom.org/ (Class 1, one year valid).


Thanks for mentioning StartCom, Eddy. I haven't looked at TLS/SSL certs in a while, this is new and welcome to me. 

I thought that to be already common knowledge ;-)



As for why CAcert isn't a browser, I figured there was an artificial linkage between encryption and trust in TLS/SSL that doesn't need to be there, except that's how the technology and user acceptance matured. I'm not sure whether the issue is more that CAcert is doing something wrong or that TLS/SSL matured differently than it could have. A hypothetical question is whether it's wrong to have the browser pre-trust any CA for their users? 

Most browsers have very similar conditions for shipping a certain CA root in their software by default. You might have a look at http://www.mozilla.org/projects/security/certs/policy/ in order to understand what they are (very reasonable and not too difficult to understand). Now CAcert, as a community driven web-of-trust scheme "CA", can't meet the basic requirements. In that respect a user should judge carefully if he wants to trust a certain CA - which isn't something everyone browsing the Internet can really understand without an investment in time and certain knowledge. But CAs built into the browser (and other software) meet the requirements put forward by the software vendor. Most likely that for most users, these checks and conditions put forward by the software vendor are sufficient!




I haven't looked into Mozilla's specific reasons for excluding CAcert but assuming the reason can be generalized, if there is something wrong with CAcert, then could the same reasoning be used for many IDPs? 

Yes, I think so! This is one of the things I suggested many times already, so I don't think that IDPs have to meet the same requirements as for CAs. But certainly the relying party (in the OpenID world the web site operators of Forums, Blogs etc.) needs to be sure, that the IDPs he wants to trust conform to a minimal standard and basic requirements (of operation). David from Verisign suggested, that "some" third party organizations will perform these services (as for example Webtrust does for CAs), however I'd certainly prefer that to be something which would come from the OpenID community itself. Or in other words, I think some of us should come together and found/operate this service. This perhaps would allow most sincere IDP operators to perform and provide their service as OpenID providers, only shutting out the ones which would be used for spam and other fraudulent use.

-- 

Regards

 

Signer:      Eddy Nigg, StartCom Ltd.

Jabber:      startcom at startcom.org

Phone:       +1.213.341.0390

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070713/76ef2491/attachment-0002.htm>

More information about the general mailing list