Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Jan 2009 19:20:34 -0900
From:      Mel <fbsd.questions@rachie.is-a-geek.net>
To:        freebsd-questions@freebsd.org
Cc:        Olivier Nicole <on@cs.ait.ac.th>, perrin@apotheon.com
Subject:   OT: The future of CA's (Was: Re: Foiling MITM attacks on source and ports trees)
Message-ID:  <200901061920.34312.fbsd.questions@rachie.is-a-geek.net>
In-Reply-To: <200901070256.n072uhqW043681@banyan.cs.ait.ac.th>
References:  <20090102164412.GA1258@phenom.cordula.ws> <200901061111.52155.fbsd.questions@rachie.is-a-geek.net> <200901070256.n072uhqW043681@banyan.cs.ait.ac.th>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tuesday 06 January 2009 17:56:43 Olivier Nicole wrote:
> Hi,
>
> > It shouldn't be so hard to give every citizen the option to "get an
> > online certificate corresponding with their passport" and similarly for
> > Chambers of Commerce to provide certificates for businesses.
>
> Only that would mean that 200 countries become Certificate Authorities
> and tens of thousand of Chamber of Commerce become too.
>
> Would you be ready to trust some very remote Chamber of Commerce of
> some thrid world country to be a a thrustworthy CA?

About the same ammount as I trust their Chamber of Commerce registration. 
Remember that certs are used establish a trust relationship ultimately 
leading to a legally binding sale/purchase agreement. If I don't trust the 
Chamber of Commerce of the country in question, I certainly don't have a 
reason to do business with that company. In fact, having a 3rd party obscure 
the origin of the company is misleading, as in case of conflict, what exactly 
are your rights and how would they be resolved? Is this company even allowed 
to do business under this name/with these products, etc etc.

> Not to mention that to manage these so many CA, you need an
> infrastructure that is yet to be deployed.

Actually, the infrastructure is already there. District governments already 
have an infrastructure to verify the identity of a person. Companies like 
Verisign had to implement this seperately. The thing that's missing is that 
governments do not see their responsibility.
Yes, I do realize that the newly created CA's would have to be added to the 
list of trusted CA's for SSL clients. In a transitional period, this could be 
done backwards compatible by temporarily chaining to a root CA that's 
already "known".

Perhaps this technology even needs to be revisited as the potential list can 
outgrow the intent of the current scheme. However, I don't consider this a 
bad thing(tm). If there's one thing the internet has shown is that adoption 
of new technology can be near instantanious (Bittorrent, iTunes, email, IM to 
name a few).
-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200901061920.34312.fbsd.questions>