From owner-freebsd-questions@FreeBSD.ORG Wed Jan 7 04:20:49 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82D14106566C for ; Wed, 7 Jan 2009 04:20:49 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 4B5C98FC16 for ; Wed, 7 Jan 2009 04:20:49 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101]) by mail.rachie.is-a-geek.net (Postfix) with ESMTP id 7BFE9AFC1FF; Tue, 6 Jan 2009 19:20:48 -0900 (AKST) From: Mel To: freebsd-questions@freebsd.org Date: Tue, 6 Jan 2009 19:20:34 -0900 User-Agent: KMail/1.9.10 References: <20090102164412.GA1258@phenom.cordula.ws> <200901061111.52155.fbsd.questions@rachie.is-a-geek.net> <200901070256.n072uhqW043681@banyan.cs.ait.ac.th> In-Reply-To: <200901070256.n072uhqW043681@banyan.cs.ait.ac.th> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200901061920.34312.fbsd.questions@rachie.is-a-geek.net> Cc: Olivier Nicole , perrin@apotheon.com Subject: OT: The future of CA's (Was: Re: Foiling MITM attacks on source and ports trees) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 04:20:49 -0000 On Tuesday 06 January 2009 17:56:43 Olivier Nicole wrote: > Hi, > > > It shouldn't be so hard to give every citizen the option to "get an > > online certificate corresponding with their passport" and similarly for > > Chambers of Commerce to provide certificates for businesses. > > Only that would mean that 200 countries become Certificate Authorities > and tens of thousand of Chamber of Commerce become too. > > Would you be ready to trust some very remote Chamber of Commerce of > some thrid world country to be a a thrustworthy CA? About the same ammount as I trust their Chamber of Commerce registration. Remember that certs are used establish a trust relationship ultimately leading to a legally binding sale/purchase agreement. If I don't trust the Chamber of Commerce of the country in question, I certainly don't have a reason to do business with that company. In fact, having a 3rd party obscure the origin of the company is misleading, as in case of conflict, what exactly are your rights and how would they be resolved? Is this company even allowed to do business under this name/with these products, etc etc. > Not to mention that to manage these so many CA, you need an > infrastructure that is yet to be deployed. Actually, the infrastructure is already there. District governments already have an infrastructure to verify the identity of a person. Companies like Verisign had to implement this seperately. The thing that's missing is that governments do not see their responsibility. Yes, I do realize that the newly created CA's would have to be added to the list of trusted CA's for SSL clients. In a transitional period, this could be done backwards compatible by temporarily chaining to a root CA that's already "known". Perhaps this technology even needs to be revisited as the potential list can outgrow the intent of the current scheme. However, I don't consider this a bad thing(tm). If there's one thing the internet has shown is that adoption of new technology can be near instantanious (Bittorrent, iTunes, email, IM to name a few). -- Mel Problem with today's modular software: they start with the modules and never get to the software part.