Date: Tue, 6 Jan 2009 19:20:34 -0900 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Cc: Olivier Nicole <on@cs.ait.ac.th>, perrin@apotheon.com Subject: OT: The future of CA's (Was: Re: Foiling MITM attacks on source and ports trees) Message-ID: <200901061920.34312.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <200901070256.n072uhqW043681@banyan.cs.ait.ac.th> References: <20090102164412.GA1258@phenom.cordula.ws> <200901061111.52155.fbsd.questions@rachie.is-a-geek.net> <200901070256.n072uhqW043681@banyan.cs.ait.ac.th>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 06 January 2009 17:56:43 Olivier Nicole wrote:
> Hi,
>
> > It shouldn't be so hard to give every citizen the option to "get an
> > online certificate corresponding with their passport" and similarly for
> > Chambers of Commerce to provide certificates for businesses.
>
> Only that would mean that 200 countries become Certificate Authorities
> and tens of thousand of Chamber of Commerce become too.
>
> Would you be ready to trust some very remote Chamber of Commerce of
> some thrid world country to be a a thrustworthy CA?
About the same ammount as I trust their Chamber of Commerce registration.
Remember that certs are used establish a trust relationship ultimately
leading to a legally binding sale/purchase agreement. If I don't trust the
Chamber of Commerce of the country in question, I certainly don't have a
reason to do business with that company. In fact, having a 3rd party obscure
the origin of the company is misleading, as in case of conflict, what exactly
are your rights and how would they be resolved? Is this company even allowed
to do business under this name/with these products, etc etc.
> Not to mention that to manage these so many CA, you need an
> infrastructure that is yet to be deployed.
Actually, the infrastructure is already there. District governments already
have an infrastructure to verify the identity of a person. Companies like
Verisign had to implement this seperately. The thing that's missing is that
governments do not see their responsibility.
Yes, I do realize that the newly created CA's would have to be added to the
list of trusted CA's for SSL clients. In a transitional period, this could be
done backwards compatible by temporarily chaining to a root CA that's
already "known".
Perhaps this technology even needs to be revisited as the potential list can
outgrow the intent of the current scheme. However, I don't consider this a
bad thing(tm). If there's one thing the internet has shown is that adoption
of new technology can be near instantanious (Bittorrent, iTunes, email, IM to
name a few).
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901061920.34312.fbsd.questions>