In message <[EMAIL PROTECTED]> on Fri, 9 Jul 2004 11:56:23 -0500 (EST), "Mark H. Wood" <[EMAIL PROTECTED]> said:
mwood> It seems to me that the reason we will not reach cross- mwood> certification nirvana is that it means the market incumbents mwood> would become enablers for new competitors. How much would mwood> *you* charge someone for the ability to take away your mwood> customers? Me? Unless I'm dealing with trust and legal issues professionally (which is a different thing than dealing with certificates), I would rely on a CA busyness alone. Instead, I'd have it as a service in a community-inspired thingy. After all, most people are connected to a few communities. There's the community of friends, there's your job, there may be other organisations you're involved with. Basically groups for which you often have some level of trust. Or your bank. The idea is that one of those communities would have an organisation with a CA, and since you already have a level of trust with them, and possibly some very personal contacts, receiving a CA certificate to put in your browser should be an easy thing. Now, in contrast, we have the current situation, with a few browser producers who basically decide for us that we're going to trust a dozen to a few hundred issuers that we've never heard of, never will hear of, and that coming from program producers that we usually have no personal relasionship with, and therefore a very low level of trust. I have no trust relationship with VeriSign, or with Microsoft, or with the Mozilla people. I do talk with some of the Opera people, but I can't really say we have a tust relationship, I don't know any of them well enough to be able to have that. What good is all those unknown issuer certificates to me? None at all, if you ask me. The only thing that has stopped me from removing all those certificates from the browser database is laziness, pure and simple. Now, if we talk trust, which model would you prefer? mwood> I don't see this happening until someone enters the market who mwood> is not concerned with profit, is willing to cross-certify other mwood> noncommercial CAs, and has enough money or clout to get on the mwood> browsers' goody lists. That sounds like a government agency to mwood> me. Whether it would be good for governments to do that is mwood> something I will leave for another discussion. I'm still in the thinkings of starting a small CA as part of my busyness, and I'm not concerned about profit from that part alone. Instead, I see it as a personal tool to express the trust relationships I might establish with others. Now, if someone wants to buy a EE certificate from me, I'll be happy, but I'd probably use it more to give certificates to people I'm connected to and to whome I want to give access to certain resources I don't want to be public. My main busyness is consultancy, not selling volumes of certificates. Those who trust me will be those I know, or people I have some personal relationship with. Organisations I cross-certify with would be organisations I'm personally interested in communicating with, or organisations my users may be interested in communicating with. And either way, that would happen after some talking, exchange of policy documents, a shake of hands, that sort of stuff. mwood> I doubt that even the best intentions will cause any browser mwood> vendor to let a nonprofit CA into their list without the mwood> nonprofit risking Big Bucks, due to legal uncertainties about mwood> responsibility should the CA be compromised. Any CA could be mwood> compromised, but the more money the CA has at risk the easier mwood> it is to trust his diligence. That's money talking... Money isn't everything, and I do not necessarely place trust in someone that can wave with a big checkbook. My trust goes to those I find being open and honest enough for me to want to have a long-term relationship with them. Money doesn't buy that. Money doesn't buy my personal trust. ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
