What Would It Take To Have Open CA Authorities?
The Slashdot crowd has opened a discussion about the possibility of a free, open Certificate Authority. trainman writes:
With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue — the big, scary warning FF3 issues which is very unintuitive for non-technical users. It seems Firefox is pushing more websites in to the monopolistic arms of companies such as Verisign. For smaller, especially non-profit groups, which will never have issues with domain typo scammers, this adds an extra and difficult-to-swallow cost. Does a service such as this need the same level of scrutiny and cost since all that is being done is verifying domain and certificate match? This extra hand holding adds a tremendous cost and allows monopolistic companies such as Verisign to thrive. Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, not actual verification of who owns the domain?
Some of the users pointed out CACert and StartCom which issue free SSL certificates but other pointed out problems with them such as CRL size (which can slow down the SSL connection process for your users) and the fact that their root certificates are not included in most web browsers. They have to be imported which makes it almost as useless as creating your own root certificate for free.
A large part of the confusion is about what the point of SSL certificates are in the first place. For example:
Cheater512 writes: "The point of SSL is so you know who you are talking to. It doesnt do anything else."
Antibozo writes: "The point of SSL is validation, then encryption. Without both, it's useless. And if you were paying attention to the noise about DNS cache poisoning last week, you should know that, without validation, SSL is truly useless."
squiggleslash writes: "One entire point of SSL is to ensure that the user can trust the site they're connecting to. If I register citicardbank.com, my inability to get an SSL certificate for it without being traced by my phishing victims severely undermines my ability to rip people off."
AlexCV writes: "No, SSL is about encryption. A certificate is merely a signed public key. Of course you could hijack a session and insert your own certificate in there, but then you'd have to have a CA authority sign it or my browser will throw a fit. And that's why trust is the only thing that matters in SSL."
Evets writes: "People should see SSL certs for what they are - end point-to-end point encryption mechanisms and nothing more. Thinking they are anything more is simply a false sense of security."
Ultimately, SSL Certificates are not for encryption, they simply enable encryption. They are about authentication. I like how BitZtream said it:
Originally posted on Sun Jul 20, 2008