Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] cacert question
- Date: Thu, 24 Feb 2011 15:32:47 +0900
- From: "Stephen J. Turnbull" <stephen@example.com>
- Subject: Re: [tlug] cacert question
- References: <AANLkTi=2RaYdt1yqbF4=tjZKCfSaZ-kuOGT50sRSnhAd@example.com> <AANLkTimWRynCAbBbVCzhcqvEjB1OcD5B1xt6N+S7vOpJ@example.com> <AANLkTinz=E_DM7KLopuS2O+V+coP3+0VhPck-3RUHxXg@example.com> <877hcqnrai.fsf@example.com> <4D65DB6C.9020306@example.com>
Raymond Wan writes: > > Being a Root CA is like being a Lloyds "name". The important thing is > > that you have a fixed address and a well-known phone number to call > > when somebody wants to sue you. > > IMHO, that's also an "advantage" of proprietary software Not really. The EULA says the same thing as the GPL: NO WARRANTY. So winning such a lawsuit is not very likely. The advantage of proprietary software is in its unique features, presumably protected by law, and if you're lucky, in the afterservice that monopoly revenues allow it to provide. But in general, there is no visible difference in code quality or real warrantees for people unwilling to pay up front for a service contract. (There is a quality advantage to proprietary software, however: that monopoly revenue also allows them to provide a myriad of tiny features that are boring and unfun to provide. Eg, the various images and stuff that come with MS Office, and the slick default themes.) > Hmmmm, all of your comments [not just Stephen's] still make > me wonder (somewhat rhetorically) how browsers trust Root > CAs in the first place. They have a very specific, very circular, definition of trust. "I trust that this server is the same server that signed up with the Root CA in the first place." SSL is intended to protect you from ordinary wiretapping. Root CAs protect you from wiretapping where you call a known number and you end up connected to somebody else. There's nothing here that says that you can trust the entity at the other end of the wire, or very little that says you really know who they are. It's up to you to check that the "amazon-com.com" that offers you a certificate digitally signed by Entrust is really the well-known bookseller. And of course there's nothing at Entrust that says that Jeff Bezos is more honest than Takafumi Horie. (Hint: Amazon.com is a Verisign customer....) > It's somewhat strange in this case that we're still using > the word "trust", but it doesn't diminish with distance... It *does* diminish with distance. That's why every CACert member must meet you *personally* before giving you points. Each one is Kibo distance[1] one from you, and then they can add on their points to you. See the GPG book for how longer chains of trust work. They do indeed diminish with distance. Footnotes: [1] Look up "Kibo" in some trove of 'net-lore. If you have shaken hands with Kibo, you have an (unofficial) distance of one. Official kibo distances are measured by the minimum number of links in a chain of "I got an email from X who got one from Y who got one from Z who got one directly from Kibo." (Personal contact is not taken into account for official distance. I have a Kibo distance of 2.)
- Follow-Ups:
- Re: [tlug] cacert question
- From: Raymond Wan
- Re: [tlug] cacert question
- References:
- [tlug] cacert question
- From: Raymond Wan
- Re: [tlug] cacert question
- From: Taisuke Yamada
- Re: [tlug] cacert question
- From: Raymond Wan
- Re: [tlug] cacert question
- From: Stephen J. Turnbull
- Re: [tlug] cacert question
- From: Raymond Wan
- [tlug] cacert question
- Prev by Date: Re: [tlug] Do you whitelist or blacklist utf-8?
- Next by Date: Re: [tlug] cacert question
- Previous by thread: Re: [tlug] cacert question
- Next by thread: Re: [tlug] cacert question
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |