Open Source SSL Cert Server? 13
EraseMe asks: "I have a great idea for an open source project, but I don't know where to begin. I'm tired of paying large cash for SSL Certifications from companies such as VeriSign. It would be great to provide companies and individuals with free certifications, with one central server providing the solution. I would imagine this wouldn't be terribly difficult to implement over exisiting applications such as OpenSSL and mod_ssl." This would be a cool idea, but if the certs are free, how would such an entity stay afloat and pay for things like servers, office space and bandwidth?
Re:Skepticism (Score:1)
However for a public Internet site one probably needs to pay the piper and get a cert signed by someone that the browsers recognize. (I don't think you can add certs to the version 3 browsers either, which might be an additional problem with a public site.)
--
Re:Skepticism (Score:1)
Citrix
$100-$150 from thawte.com (Score:1)
I've also looked at something similar, as I run a company thinking about becoming a CA. The easiest way to do it is work with thawte and they will sign your issuing certificate for $100,000. That'll get you into all the major browsers immediately. If someone had the up front capitol, and charged $100/cert, they could make it back pretty quickly, and then some.
Re:Skepticism (Score:1)
The place I work for has paid thousands of dollars all said to buy certificates, and the most they do is keep signed (paper) documents certifying that we are who we say we are.
The problem with a community based certificate signing service is getting Microsoft and Netscape to recognize certificates signed by such an entity as a default. Anyone with a little know how can already sign certificates themselves -- it's just that no one trusts an unknown signing authority.
If certificates are used mainly for stream encryption of the http stream, then self (or community) signing shouldn't be that big a problem. Just get the browsers to accept them.
But certificates are also used to authenticate that a site is who they say they are, and not a hijacked connection or some site that just say they are IBM. That requires some sort of paperwork and tracking. If we could find a way to get those sorts of resources donated, we'd be in business.
Can we trust you? (Score:1)
For personal use, PGP [or S/MIME, though I think it's pretty icky] seems far preferable to SSL based encryption. I honestly don't see where the demand is coming from.
www.openca.org (Score:1)
OpenCA info... (Score:1)
It would be REALLY nice if OpenCA could get into the "Trusted Certificate Authority" lists of both browsers so you don't have to pay the Verisign tax each time you want to have a seamless SSL site (seamless being defined as an SSL site without nasty SSL popups).
I detest the fact that you have to pay a Trusted Certificate Authority before you can seamlessly secure these sites, whether you are a commercial site or not. Quite frankly I think this situation is almost as bad for consumers as the Microsoft monopoly, both cater to fat corporate clients at the expense of the small guy.
Re:Skepticism (Score:2)
An Existing CA Project.. (Score:2)
Check them out.
--
Skepticism (Score:2)
First, a nitpick. Most "Open source" software is in fact available for the price of a 'net connection, but that's also true of Netscape, IE, and buttloads of other software. So stop saying "Open Source" when you seem to mean "free as in beer."
The central issue, it seems to me, is whether you can balance the cost-effectiveness of the SSL certification service (even if it's free to the users, you'll still require resources which will have to be donated or funded by members of the community) with the level of security. The problem is that running responsible checks on the certificate applicant can be fairly costly. VeriSign and Thawte come and visit your location to make sure it's all kosher, don't they? That's expensive ... how do you provide a similar level of verification of security with different methods?
Re:Skepticism (Score:2)
Hm, a nifty feature for Mozilla (e.g. !) developers to work on if ever I saw one. Here's where open source, in the true sense of the term, can help in the process of instituting the system the questioner asked for. Part of developing the service would just involve writing the code for accepting the "community's" CA as a default.
I like it ... makes me less skeptical =)
Re:OpenCA info... (Score:3)
Think about what you are saying: "I detest the fact that you have to pay a Trusted Certificate Authority before you can seamlessly secure these sites." The only way to seamlessly secure "these sites" is to have someone who proactively ensures that these sites are who they say they are (the Trusted Certificate Authority). If you've ever purchased an SSL cert before, you know what an arduous process this is - typically three or more separate forms of identifcation are required, articles of incorporation, etc. Verifying that you are actually "you" is a costly and time consuming thing, and barring an unusally pious CA, someone is going to charge you to do it. The money you pay ensures that they are issuing certs with truthful and correct data on them.
The alternative is not a pretty picture. OpenCA will not, and should not, "get into" the Trusted CA list of browsers because it isn't. They do not perform identity checking (at least as far as I can tell based on a cursory glance at their signup page). Telling several million browsers to take anything OpenCA tells them as gospel is just asking for disaster. It would essentially be like authorizing the DMV to sell photo IDs with whatever information you ask for on it - you can be anyone, any server, any thing, and as long as OpenCA is "trusted," no one can tell the difference.
This may not seem like a big deal now, but it will be in the very near future, when one's digital certificate signature carries the same legal force as a handwritten one (this will happen). Scrutiny on digital certs needs to be increased, if anything. They shouldn't be handed out like candy.
--
Open Insurance is what you need (Score:3)
Web browsers and other software using SSL only allow clean passage of certificates from cert authorities for which the master cert for that authority is present. When you get a mainstream we browser, it comes with keys installed for Verisign, Thawte, Deutsche Telekom, Equifax, GTE and a number of other signing authorities.
You can add more signers yourself. If you're deploying browsers for a company/school/organization extranet, for example, you can hand out browsers with your organization's master cert installed, and the browser will happily accept the certs you issue, with no money going to a Verisign, Thawte, etc.
Thing is, in order to get into the master list of signer certs that get bundled with the major browsers, your signing authority has to be considered fully trustworthy. That means you have to be able to vouch for the authenticity of every cert you issue. Verisign and Thawte do that by doing a verification of the info provided by an applicant. That generally costs a bit of money and labor. But then there's the CA's bigger expense: covering themselves in case of liability. A Verisign or Thawte cert, level 3 or higher, costs money because Verisign and Thawte are outting their necks on the chopping block if they issue a false cert. They are liable for fraud committed with a false certificate. Remember: when a browser passively accepts a cert, it isn't just signifying that encryption is taking place. It's telling you that the site (or personal) certificate is correct, that if the cert is claimed to be from Spumco at 123 Main Street, it really is Spumco's cert.
The best you could really hope to put together is a non-profit CA. You can't get rid of significant cost altogether. Insurance costs money.