Skip to Content.
Sympa Menu

cacert-policy - [CAcert-Policy] Why I switched to a thawte certificate

Subject: Policy-Discussion

List archive

[CAcert-Policy] Why I switched to a thawte certificate


Chronological Thread 
  • From: Sven Anderson <sven AT anderson.de>
  • To: Policy-Discussion <cacert-policy AT lists.cacert.org>
  • Subject: [CAcert-Policy] Why I switched to a thawte certificate
  • Date: Fri, 24 Oct 2008 21:50:11 +0200
  • List-archive: <https://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
  • List-id: Policy-Discussion <cacert-policy.lists.cacert.org>

Hi,

I didn't read on this list since a long time, so I apologize if this has been discussed before.

I stopped using my CAcert certificate and use a free thawte certificate now. That is sad, I know. So why did I switch?

1. Usability. I stopped signing my mails by default a while ago, because some people complained and some even claimed I have a virus (sic!). This is an weird result of the very stupid fact that mail clients warn about mails signed by certificates of an unknown CA, although they are not more dangerous than unsigned mails, which obviously don't result in a warning. Until CAcert is not in the root- chain, this will not change.

2. I don't need "identity". I want confidentiality (encryption), communication coherence (do I talk to the same person as yesterday?) and _sometimes_ trust. But trust in real life is never build upon identity. I trust people because I "know" them. And "know" in this case means either a good personal experience or a good reputation by somebody else I trust. (Now you will say: fine, use PGP and it's WoT, it's made for exactly this. Right, but here comes usability into play again. S/MIME is included in every mail client, PGP is not.) So, I can have a very trustful relationship with people whose identity I don't know. In fact I never saw the IDs of most of my best friends. So I don't care if there is my real name in the certificate or not, and for some things I even don't want it. That the certificate belongs to a certain mail address is all I need, and this can be automatically verified by any CA. In a situation, in which I really need the identity - because I want to make business with an unknown person for instance - I will not trust the data inside a certificate anyway, because it's only as secure as the weakest CA in my root chain. And that's really not enough. I would always verify the information out of band.

Why do I tell you this on the policy list? Well, I would happily come back to using CAcert, if I could get a certificate which does only contain my mail address, but whose CA is included in the client's root chains. What I want to propose is a fast track approach for "browser inclusion" by introducing a complementary CA to the class 3 CA of CAcert, that is a CA for anonymous (email-address based) certificates only. I assume that the inclusion of a CA, that is only based on automatically verified data, will be a lot easier and faster to get included into the root chains. If you can include the class 3 CA later as well that's great, but at least CAcert can offer the same as thawte in the meantime.


Best regards,

Sven

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.16.

Top of Page