What Would It Take To Have Open CA Authorities?

The Slashdot crowd has opened a discussion about the possibility of a free, open Certificate Authority. trainman writes:

With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue — the big, scary warning FF3 issues which is very unintuitive for non-technical users. It seems Firefox is pushing more websites in to the monopolistic arms of companies such as Verisign. For smaller, especially non-profit groups, which will never have issues with domain typo scammers, this adds an extra and difficult-to-swallow cost. Does a service such as this need the same level of scrutiny and cost since all that is being done is verifying domain and certificate match? This extra hand holding adds a tremendous cost and allows monopolistic companies such as Verisign to thrive. Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?

Some of the users pointed out CACert and StartCom which issue free SSL certificates but other pointed out problems with them such as CRL size (which can slow down the SSL connection process for your users) and the fact that their root certificates are not included in most web browsers. They have to be imported which makes it almost as useless as creating your own root certificate for free.

A large part of the confusion is about what the point of SSL certificates are in the first place. For example:

Cheater512 writes: "The point of SSL is so you know who you are talking to. It doesnt do anything else."

Antibozo writes: "The point of SSL is validation, then encryption. Without both, it's useless. And if you were paying attention to the noise about DNS cache poisoning last week, you should know that, without validation, SSL is truly useless."

squiggleslash writes: "One entire point of SSL is to ensure that the user can trust the site they're connecting to. If I register citicardbank.com, my inability to get an SSL certificate for it without being traced by my phishing victims severely undermines my ability to rip people off."

AlexCV writes: "No, SSL is about encryption. A certificate is merely a signed public key. Of course you could hijack a session and insert your own certificate in there, but then you'd have to have a CA authority sign it or my browser will throw a fit. And that's why trust is the only thing that matters in SSL."

Evets writes: "People should see SSL certs for what they are - end point-to-end point encryption mechanisms and nothing more. Thinking they are anything more is simply a false sense of security."

Ultimately, SSL Certificates are not for encryption, they simply enable encryption. They are about authentication. I like how BitZtream said it:

As the GP said, certificates are not about encryption, they are about authentication.

You can do the same encryption provided by SSL connections without a certificate at all.

Before you start telling people what certificates are for, please learn about how encryption, and specifically PKI works.

The SSL connection, after authenticated, uses standard symetrical encryption to actually transit the data once the connection has been authenticated and a one time key for each direction has been established.

YOU see certificates used with encrypted websites, but their purpose is not encryption. You can actually use SSL and not have encryption or message authentication at all. But that would be stupid because someone could hijack the data stream and modified at some point after the initial authentication phase.

Quite simply, domain-validated certificates that are freely given to anyone who claims domain ownership are worth very little. Malicious users would be able to and can get these certificates easily. It may enable encryption but it does nothing to verify that you are talking to who you think you are talking to. Free CAs also have issues with the quality of other validation (they don't have to pass audits like WebTrust), quality of revocation lists, and quality of installation support among other things.

What Would It Take To Have Open CA Authorities?  - [Slashdot]

Originally posted on Sun Jul 20, 2008