Their website seems very vague if you don't know why you're there, and information (such as "where do I find assurers/how does one become one?) don't have easily accessible answers...if they want to garner public support their site needs to be much more informative.
Wow, I've spent way too much time in web dev...the first thing I do when I visit a webpage is consider its usability...
I use their SSL certs for domains. Works great. I also use their personal S/MIME certs. Here's one site using a CAcert SSL certificate. Hostgator only charged 10 dollars to install it. https://16systems.com/main.html
Uh, hello? Extortionate certificate fees aren't a technical problem. It's the "getting inclusion into Internet Explorer" problem that actually matters. What possible evidence do these people have that they'd be successful with this?
They mention on their wiki that a $75k+$10k/year audit will get them into IE, but that is out of their price range now. They are in process for mozilla. For safari the same $75k audit or "equivalent" will suffice.
Perhaps some company will fund them for the PR credit? Perhaps they could take donations? $85k/yr isn't too much. I'd chip in $20/year in a heartbeat.
There are bound to be non-trivial administrative costs and considerations involved with being a provider. How do you cover all sorts of complex admin and legal requirements with a free model?
Yeah but DNS management ain't being a certificate authority.
I mean, I have no idea the obstacles. Some that come to mind: having a certified secure ___location, keeping records in a fire-proof safe, having yearly audits, being bonded at some amount, etc.
I know that some folks would consider these just BS barriers set up to keep the small guys out, but you could make a really good argument that to do what they want you should have to jump through some of these hoops.
> Yeah but DNS management ain't being a certificate authority.
Indeed, it's harder in most respects.
Having a certified secure ___location is actually less good than having a dispersed and challenged base. This is a solved problem for eg. distributed hash tables and the techniques can be repurposed here.
Can you tell me with absolute certainty that Thawte or NSI would not facilitate a man-in-the-middle attack for the right price? And if they did, how would you know?
DNS management is harder than an unknown amount of administrative overhead for being a certificate authority? I'm not sure I can comment on that one. How would you know that to be true? Do you know all of the costs involved with being a certificate authority? If so, you haven't brought them up here.
The next sentence about "having a certified secure ___location is actually less good than having a dispersed and challenged base" means what, exactly? I didn't think we were talking about what was good or not. The point was the expenses were difficult to overcome on a free model. And why would having a dispersed and challenged base be good? People who are somehow challenged and live in random locations are good to have? --- not tracking that.
I have no idea what competitors would or wouldn't do. I believe that plays into my point: there are a lot more expenses in being an authority than simply running a crypto routine (from a secure key generator even)
DNS administration is being done all over the place in all kinds of ways. The technology and market is mature. CAs are either mostly new or running a monopoly -- which means there's probably a lot of stuff going on behind the scenes which is proprietary.
> there's probably a lot of stuff going on behind the scenes which is proprietary.
There really shouldn't be, though. I set up a CA for a large company way back in 1998 and while it was a pain in the ass, it wasn't something that a novice Perl hacker couldn't get to run smoothly. (This was before Microsoft fucked everything up by not allowing people to import trusted root CA certs into their own browsers, hence the exorbitant $85K fee to do today what I did for free then)
It just isn't that hard to maintain the CRLs and a CA with a proper chain. It's an issue of trust like anything else, which is why I brought up the difficulty of determining whether you trust eg. NSI or Thawte.
If you think DNS is easy, I think you should try and get a tld delegated to you. Then sit through some ddos attacks on your tld's root servers and see how easy you think that is. Consider that DNS is meant to be more or less contstantly available, while a cert chain only needs to be checked periodically (and the CRL on cert load). Neither is earthshatteringly hard, neither is easy, they just are.
Both rely on standard protocols with extensive documentation.
Yeah I got your point about a tld. But I don't think the equivalent for root CAs are something like "man-in-the-middle" attacks. Seems it would be much more political in nature -- ie, something like "next year you guys have to all learn Klingon, wear the same clothes, juggle at least 4 hours a week, and then put up a million in escrow to reduce our risk"
After all, it's a trust game, right? So if you're one of the few people running root CAs, you're going to make it really, really difficult to be able to trust other people at your level -- for the benefit of the users, obviously </sarcasm>
As we both know, setting up just any old kind of CA isn't the toughest thing in the world to do. It's getting accepted by the community and making the certificates into something useful that's going to be a pain.
