[jdev] CAs

Peter Saint-Andre stpeter at jabber.org
Wed May 18 21:16:40 CDT 2005 

On Wed, May 18, 2005 at 03:58:08PM -0700, Justin Karneges wrote:
> On Wednesday 18 May 2005 12:43 pm, Peter Saint-Andre wrote:
> > We can debate which of these approaches is superior
> 
> The problem isn't the approach, as any is far too complicated for the layman 
> to understand, but rather the problem is of which CAs to trust.  The fact is, 
> CAcert is not installed by default into any root cert storage, thus reducing 
> its usability to that of PGP.  For CAcert to be usable, it _needs_ to be in 
> the everyone's root cert storage (cue related chicken-and-egg discussion 
> about Jabber).
> 
> I've read their web page, and they sound like a good, honest, security-minded, 
> and geeky bunch.  There was a request to have their cert added into Psi.  The 
> question is, am I qualified to make such a decision given all of the security 
> concerns that may go along with it?  The answer is no.  Too much rests on 
> X.509, despite how much we hate paying for domain certs.  Instead, I decided 
> to wait-and-see what Mozilla will do.
> 
> Mozilla's selection of certificates is not random.  There is a metric for 
> deciding which CAs are trustworthy, called WebTrust.  Since CAcert is not 
> certified by WebTrust, folks maintaining root storages are stuck.  They want 
> to trust CAcert because they like the notion, but going against WebTrust 
> would undermine the whole X.509 system.  If it's ok to violate the rules 
> because of a feel-good hunch, we're doomed.
> 
> Either CAcert needs to be WebTrust certified (company Foo with a million 
> dollars, would you please stand up for this noble cause?), or we need to 
> create a new metric for trusting CAs, which could be another grass-roots 
> effort, independent of CAcert.  It doesn't matter at all if Verisign sucks or 
> that WebTrust sucks.  The fact is we need _some_ system, and we either need 
> to work within it or change it.
> 
> > Outside of CAcert, XMPP servers could of course also trust the same CAs
> > that are trusted by, say, Mozilla
> 
> Obviously.  XMPP servers are no different than clients in this regard, which 
> also trust the same CAs as Mozilla.

Well, I suggest doing some research on the matter of root CAs. The
existing root CA lists were decided upon in a rather arbitrary fashion
(the ca-cundle.crt file you see floating around was defined back in the
year 2000 or whatever and has not changed since), and I think Netscape
didn't really have an official policy on the matter. CAcert's request to
be added to the Mozilla list has exposed the fact that there really were
no policies in effect before -- now they are being defined. The WebTrust
stuff can be seen as an effort to circle the wagons and prevent new
entrants into the CA market (especially inexpensive entrants). In fact
there are many many questions one could raise about the conflicts of
interest in the existing CA universe, the ethical status of VeriSign,
and much more. To reduce the question to "I'll trust whatever Mozilla
trusts" simplifies the decision for you but then you have abdicated
judgment.

/psa

More information about the JDev mailing list