[jdev] CAs

[Justin Karneges]

On Wednesday 18 May 2005 12:43 pm, Peter Saint-Andre wrote:
> We can debate which of these approaches is superior

The problem isn't the approach, as any is far too complicated for the layman 
to understand, but rather the problem is of which CAs to trust.  The fact is, 
CAcert is not installed by default into any root cert storage, thus reducing 
its usability to that of PGP.  For CAcert to be usable, it _needs_ to be in 
the everyone's root cert storage (cue related chicken-and-egg discussion 
about Jabber).

I've read their web page, and they sound like a good, honest, security-minded, 
and geeky bunch.  There was a request to have their cert added into Psi.  The 
question is, am I qualified to make such a decision given all of the security 
concerns that may go along with it?  The answer is no.  Too much rests on 
X.509, despite how much we hate paying for domain certs.  Instead, I decided 
to wait-and-see what Mozilla will do.

Mozilla's selection of certificates is not random.  There is a metric for 
deciding which CAs are trustworthy, called WebTrust.  Since CAcert is not 
certified by WebTrust, folks maintaining root storages are stuck.  They want 
to trust CAcert because they like the notion, but going against WebTrust 
would undermine the whole X.509 system.  If it's ok to violate the rules 
because of a feel-good hunch, we're doomed.

Either CAcert needs to be WebTrust certified (company Foo with a million 
dollars, would you please stand up for this noble cause?), or we need to 
create a new metric for trusting CAs, which could be another grass-roots 
effort, independent of CAcert.  It doesn't matter at all if Verisign sucks or 
that WebTrust sucks.  The fact is we need _some_ system, and we either need 
to work within it or change it.

> Outside of CAcert, XMPP servers could of course also trust the same CAs
> that are trusted by, say, Mozilla

Obviously.  XMPP servers are no different than clients in this regard, which 
also trust the same CAs as Mozilla.

-Justin