[plug] Alternatives to Verisign/Thawte

Onno Benschop onno at itmaze.com.au
Thu Sep 18 19:31:19 WST 2003 

On Thu, 2003-09-18 at 19:17, James Devenish wrote:
> In message <1063882675.1692.18.camel at latte.internal.itmaze.com.au>
> on Thu, Sep 18, 2003 at 06:57:55PM +0800, Onno Benschop wrote:
> > you really, really don't need to use a Certificate Authority to get an
> > SSL server certificate.
> 
> Correct... (Though, of course, we're using TLS now, right ;)
> 
> > My understanding is that for a server certificate to be from a CA is
> > only useful in any way if you're taking money off a client where there
> > is no prior relationship between you and the client.
> 
> Consider that many uses of web PKI will be between a site and a *new*
> user or an old user who is not using the same machine all the time (e.g.
> secure webmail from Internet cafes). Not only will such people receive
> undesirable warnings from their browsers, but some browsers (e.g.
> Internet Explorer) make users jump through elaborate hoops to get rid of
> "those annoying messages". Also, consider that PKI is providing
> *authentication* as well as *encryption*. It is fine to say that your
> regular webmail users would "know" that they're receiving a trustable
> certificate from your site, but that's completely ruining the
> authentication mechanism. If you *only* need encryption then you are
> quite correct.


Hold on, am I reading here that you're saying that getting a certificate
from an authority (eg. one that MS trusted enough to build into IE), is
a trustable certificate?

Because without wanting to flame or insult you, that's bollocks.

My whole point is that a certificate only works if you trust the person
who signed it. If I start issuing certificates, then Matt stands up and
says: "This Onno guy is trust-worthy", then Ben stands up and says "Matt
knows what he's talking about.", then Jon says that "he knows Ben and
he's a good guy", and you know Jon, you can trust certificates that come
from me.

The whole idea about this stuff is that "the message that was sent from
the server wasn't changed and came from a friend of a friend of a
friend."

Unless of course I'm talking out of my ass, but then you need to tell me
that.

Again, if PLUG decides to issue certificates and enough people trust
PLUG, it is as valid as a certificate as one from one that's built into
IE. A much larger problem is if a big organisation - say a telco -
chooses an authority that you don't recognise, and you don't see any
reference to that authority on their pages.

Your argument about adding certificates is bunk, because it won't be a
monopoly of trust for much longer the way these clowns are acting.



Please, if you felt threatend by my language, I'm sorry. If I'm wrong,
please correct me.

Cheers,


Onno Benschop 

Connected via Optus B3 at S15:51'18" - E128:45'05" (Crossing Falls, Kununurra, WA)
-- 
()/)/)()        ..ASCII for Onno.. 
|>>?            ..EBCDIC for Onno.. 
--- -. -. ---   ..Morse for Onno.. 

Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon
ITmaze - ABN: 56 178 057 063 - ph: 04 1219 8888 - onno at itmaze dot com dot au

_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug

More information about the plug mailing list