Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] cacert question
- Date: Fri, 25 Feb 2011 14:44:08 +0900
- From: Raymond Wan <rwan.kyoto@example.com>
- Subject: Re: [tlug] cacert question
- References: <AANLkTi=2RaYdt1yqbF4=tjZKCfSaZ-kuOGT50sRSnhAd@example.com> <AANLkTimWRynCAbBbVCzhcqvEjB1OcD5B1xt6N+S7vOpJ@example.com> <AANLkTinz=E_DM7KLopuS2O+V+coP3+0VhPck-3RUHxXg@example.com> <877hcqnrai.fsf@example.com> <4D65DB6C.9020306@example.com> <87wrkqx7qo.fsf@example.com>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20101226 Icedove/3.0.11
On 24/02/11 15:32, Stephen J. Turnbull wrote:
Raymond Wan writes: > > Being a Root CA is like being a Lloyds "name". The important thing is > > that you have a fixed address and a well-known phone number to call > > when somebody wants to sue you. > > IMHO, that's also an "advantage" of proprietary software Not really. The EULA says the same thing as the GPL: NO WARRANTY. So winning such a lawsuit is not very likely.
Yes, that's true. I suppose the average consumer clicks "Agree" without actually reading it and perhaps is not fully aware of the EULA. If some big problem happened [big enough to rival the Toyota braking problem], then maybe the words of the EULA will be put under the spotlight. But, such a spotlight may still not have an effect.
The advantage of proprietary software is in its unique features, presumably protected by law, and if you're lucky, in the afterservice that monopoly revenues allow it to provide. But in general, there is no visible difference in code quality or real warrantees for people unwilling to pay up front for a service contract. (There is a quality advantage to proprietary software, however: that monopoly revenue also allows them to provide a myriad of tiny features that are boring and unfun to provide. Eg, the various images and stuff that come with MS Office, and the slick default themes.)
Well, I'm not trying to defend Microsoft [really, I am a Linux user and not a spy :-) ], but many Microsoft-haters aren't aware of the work that comes out of Microsoft Research. I think they do a lot of work in natural language processing, speech recognition, and search engines. Of course, such work is motivated by business, but it is still advancing research.
I'm sure there was some division in Microsoft Research that was responsible for the Paperclip (tm). :-)
They have a very specific, very circular, definition of trust. "I trust that this server is the same server that signed up with the Root CA in the first place." SSL is intended to protect you from ordinary wiretapping. Root CAs protect you from wiretapping where you call a known number and you end up connected to somebody else. There's nothing here that says that you can trust the entity at the other end of the wire, or very little that says you really know who they are. It's up to you to check that the "amazon-com.com" that offers you a certificate digitally signed by Entrust is really the well-known bookseller. And of course there's nothing at Entrust that says that Jeff Bezos is more honest than Takafumi Horie. (Hint: Amazon.com is a Verisign customer....)
Ah, I see -- thank you for helping me make the distinction between the two -- SSL and Root CAs.
> It's somewhat strange in this case that we're still using > the word "trust", but it doesn't diminish with distance... It *does* diminish with distance. That's why every CACert member must meet you *personally* before giving you points. Each one is Kibo distance[1] one from you, and then they can add on their points to you. See the GPG book for how longer chains of trust work. They do indeed diminish with distance.
Hmmm, that's true about personally meeting. But if we have a chain of people meeting each other:
A --> B --> C --> D --> Ethen A and E are in the same "web of trust", despite them never having met each other. And if C was somehow slack, then the web is only as good as the weakest link.
On the other hand, for a CAcert member to issue a cert for a long enough duration, s/he had to have met many people. So, I guess this is the main safeguard. I see.
Footnotes: [1] Look up "Kibo" in some trove of 'net-lore. If you have shaken hands with Kibo, you have an (unofficial) distance of one. Official kibo distances are measured by the minimum number of links in a chain of "I got an email from X who got one from Y who got one from Z who got one directly from Kibo." (Personal contact is not taken into account for official distance. I have a Kibo distance of 2.)
I've never heard of Kibo in this context; I'll be sure to look it up. Sounds similar to the Erdos number of research in mathematics.
Thank you all for your help in understand cacert! Have a good weekend!
Ray
- Follow-Ups:
- Re: [tlug] cacert question
- From: Stephen J. Turnbull
- Re: [tlug] cacert question
- References:
- [tlug] cacert question
- From: Raymond Wan
- Re: [tlug] cacert question
- From: Taisuke Yamada
- Re: [tlug] cacert question
- From: Raymond Wan
- Re: [tlug] cacert question
- From: Stephen J. Turnbull
- Re: [tlug] cacert question
- From: Raymond Wan
- Re: [tlug] cacert question
- From: Stephen J. Turnbull
- [tlug] cacert question
- Prev by Date: Re: [tlug] I'll have to pay someone to do this Javascript (small job offer)
- Next by Date: Re: [tlug] Do you whitelist or blacklist utf-8?
- Previous by thread: Re: [tlug] cacert question
- Next by thread: Re: [tlug] cacert question
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |