

CA Cert - samueladam
http://www.cacert.org/

======
ghiotion
Oh man, if they could pull this off, that would be so great. It causes me
physical pain to have to shell out $100's to VeriSign for certs.

------
bkrausz
Their website seems very vague if you don't know why you're there, and
information (such as "where do I find assurers/how does one become one?) don't
have easily accessible answers...if they want to garner public support their
site needs to be much more informative.

Wow, I've spent way too much time in web dev...the first thing I do when I
visit a webpage is consider its usability...

------
tubby
I use their SSL certs for domains. Works great. I also use their personal
S/MIME certs. Here's one site using a CAcert SSL certificate. Hostgator only
charged 10 dollars to install it. <https://16systems.com/main.html>

------
tptacek
Uh, hello? Extortionate certificate fees aren't a technical problem. It's the
"getting inclusion into Internet Explorer" problem that actually matters. What
possible evidence do these people have that they'd be successful with this?

~~~
jws
They mention on their wiki that a $75k+$10k/year audit will get them into IE,
but that is out of their price range now. They are in process for mozilla. For
safari the same $75k audit or "equivalent" will suffice.

Perhaps some company will fund them for the PR credit? Perhaps they could take
donations? $85k/yr isn't too much. I'd chip in $20/year in a heartbeat.

------
DanielBMarkham
Something about this doesn't add up.

There are bound to be non-trivial administrative costs and considerations
involved with being a provider. How do you cover all sorts of complex admin
and legal requirements with a free model?

~~~
rms
Donations? Easydns.net was mentioned in the DNS thread as just as good as the
pay competitors, only free. They ask for a $15-$30 donation

~~~
DanielBMarkham
Yeah but DNS management ain't being a certificate authority.

I mean, I have no idea the obstacles. Some that come to mind: having a
certified secure location, keeping records in a fire-proof safe, having yearly
audits, being bonded at some amount, etc.

I know that some folks would consider these just BS barriers set up to keep
the small guys out, but you could make a really good argument that to do what
they want you should have to jump through some of these hoops.

Beats me though. I'm just idly speculating.

~~~
apathy
> Yeah but DNS management ain't being a certificate authority.

Indeed, it's harder in most respects.

Having a certified secure location is actually less good than having a
dispersed and challenged base. This is a solved problem for eg. distributed
hash tables and the techniques can be repurposed here.

Can you tell me with absolute certainty that Thawte or NSI would not
facilitate a man-in-the-middle attack for the right price? And if they did,
how would you know?

~~~
DanielBMarkham
I'm sorry. I was unable to follow your comment.

DNS management is harder than an unknown amount of administrative overhead for
being a certificate authority? I'm not sure I can comment on that one. How
would you know that to be true? Do you know all of the costs involved with
being a certificate authority? If so, you haven't brought them up here.

The next sentence about "having a certified secure location is actually less
good than having a dispersed and challenged base" means what, exactly? I
didn't think we were talking about what was good or not. The point was the
expenses were difficult to overcome on a free model. And why would having a
dispersed and challenged base be good? People who are somehow challenged and
live in random locations are good to have? --- not tracking that.

I have no idea what competitors would or wouldn't do. I believe that plays
into my point: there are a lot more expenses in being an authority than simply
running a crypto routine (from a secure key generator even)

DNS administration is being done all over the place in all kinds of ways. The
technology and market is mature. CAs are either mostly new or running a
monopoly -- which means there's probably a lot of stuff going on behind the
scenes which is proprietary.

~~~
apathy
> there's probably a lot of stuff going on behind the scenes which is
> proprietary.

There really shouldn't be, though. I set up a CA for a large company way back
in 1998 and while it was a pain in the ass, it wasn't something that a novice
Perl hacker couldn't get to run smoothly. (This was before Microsoft fucked
everything up by not allowing people to import trusted root CA certs into
their own browsers, hence the exorbitant $85K fee to do today what I did for
free then)

It just isn't that hard to maintain the CRLs and a CA with a proper chain.
It's an issue of trust like anything else, which is why I brought up the
difficulty of determining whether you trust eg. NSI or Thawte.

If you think DNS is easy, I think you should try and get a tld delegated to
you. Then sit through some ddos attacks on your tld's root servers and see how
easy you think that is. Consider that DNS is meant to be more or less
contstantly available, while a cert chain only needs to be checked
periodically (and the CRL on cert load). Neither is earthshatteringly hard,
neither is easy, they just are.

Both rely on standard protocols with extensive documentation.

~~~
DanielBMarkham
Yeah I got your point about a tld. But I don't think the equivalent for root
CAs are something like "man-in-the-middle" attacks. Seems it would be much
more political in nature -- ie, something like "next year you guys have to all
learn Klingon, wear the same clothes, juggle at least 4 hours a week, and then
put up a million in escrow to reduce our risk"

After all, it's a trust game, right? So if you're one of the few people
running root CAs, you're going to make it really, really difficult to be able
to trust other people at your level -- for the benefit of the users, obviously
</sarcasm>

As we both know, setting up just any old kind of CA isn't the toughest thing
in the world to do. It's getting accepted by the community and making the
certificates into something useful that's going to be a pain.

