[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape, CAs, and Verisign



Alex Strasheim wrote:
> 
> I'm a big fan of Netscape and their products, and I think they do a good
> job of addressing the interests of their customers and the public at
> large with respect to crypto issues.
> 
> But it's starting to become apparent that there's a fairly serious problem
> with Certification Authorities and SSL.
> 
> The problem is simple enough:  sites with certificates from one of the CAs
> that are preconfigured in Netscape have a tremendous advantage over sites
> with certs from other CAs, and it's expensive and difficult to get a cert
> if you're running an alternative server like ApacheSSL.
> 
> This problem is going to get a lot worse when X509 client authentication
> becomes more popular.
> 
> Netscape needs to address the situation.  It's just not practical or
> desireable for one company (Verisign) to have a stranglehold on
> certificates.

  I agree with what you are saying.  I very much want to see real competition
in the certificate issuing business.  We are in the process of developing
a set of criteria that CAs have to meet in order to be included in the
"default" list of CAs that our products support.  The criteria focus
on assuring support for our customers more than trying to specify a
particular policy.  The criteria will include things like required
minimum response times for customer problems, compliance with an
interoperability spec, publishing of policies, etc.  Some time in
the next few months these criteria will be made public, and that 
should allow for open competition.

> I'd like to see a less centralized CA that's tied into the existing system
> of notaries.  The idea is to make it necessary to spoof a notary in order
> to spoof the CA.  That won't make spoofing the CA impossible (nothing
> will), but it will make spoofing the CA illegal.
> 
> A notary could apply to the CA for the right to work as an agent, for a
> nominal fee (<$100/year).  Only notaries could be agents.  If a person
> wants a certificate, they'd come in and present ID and a key to the
> notary/agent.  The person would have to present a form document stating
> that he's requesting the cert.  The notary would stamp the form and affix
> a signature to the key which would enable it to be processed automatically
> by the CA.
> 
> Fees for the whole procedure ought to be less than $30.  The CA ought to
> operate off of the fees from the agents as a non-profit organization, and
> the agents ought to keep the fees paid by the people requesting the
> certificates.
> 
> Would any of the lawyers on the list be willing to comment on whether or
> not it's possible or practical to tie a CA into the notary system?  Does
> anyone have any thoughts as to how difficult/risky spoofing my CA is
> compared to spoofing Netscape or Verisign?
> 
> I could put up a server and I think I know a laywer who would help me set
> up a non-profit organiation on a shoestring, but I don't want to do it if
> the plan is impractical.
> 
> Morevover, although I don't think it's reasonable to expect Netscape to
> agree to include a non-existent CA in their browsers sight unseen, at the
> same time it doesn't seem smart to sink money into setting up the CA
> without some indication from Netscape that they're willing to give the
> idea good faith consideration.

  I would suggest that you wait until you see our published criteria before
you spend too much effort setting up such a service, so that you can
be sure to meet them.  We don't care how big a company you are, as long
as you agree to provide our customers with a reasonable level of support
and issue certs that are compatible with our products.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.