Skip to Content.
Sympa Menu

cacert-policy - Re: What is the mission of CAcert ?

Subject: Policy-Discussion

List archive

Re: What is the mission of CAcert ?


Chronological Thread 
  • From: Ian G <iang AT cacert.org>
  • To: cacert-policy AT lists.cacert.org
  • Cc: Peter Williams <home_pw AT msn.com>, 'Andreas Bürki' <abuerki AT cacert.org>, 'CAcert Members Mail List' <cacert-members AT lists.cacert.org>
  • Subject: Re: What is the mission of CAcert ?
  • Date: Sat, 02 Jan 2010 13:54:18 +0100
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
On 31/12/2009 17:12, Peter Williams wrote:

Ahora, antes que X.509 existia, habia el mundo de cryptographia usando claves symmetricos. Algunos de la 
principios de la maneja de este typo de clave todavia aun tiene valor a considerar, hoy dia. Habia el 
concepto de un artifice bien conocido come una "key fill" (en el ingles, de los norte 
americanos). Hoy dia, lo conocemos como una "root key", que da al modulo electronico de 
cryptogrphia sus parametos mathematicos basicos. La pregunta fue, and todavia es, come se manejaria estos 
clave mientras se estan "en distribution".


Nos sirve.  Tambien mi espan~ol no es mas que lo minimo para defenderme.

What Peter's message suggests is that if you want to do security with cryptography, you have to look past the institutional history, and at what keys can actually do.

On the other hand, if we are following the institutional path - audits, root lists, browsers, etc - then we may not be following a goal of security. That would be fine if our goal was otherwise stated in good terms, such as "eliminate pop-up madness" or the popular "free certs!" goal.

But if our goal is expressed as security, then we'll see some tension. E.g., it might be easier to deliver security using OpenPGP email than with S/MIME email.

There is an inescapable tension between security and institutional structures. Those institutions cost a lot of money to run (CAs, browsers, developers, audits, standards committees) and that money has to come from somewhere. It doesn't take a PhD in economics to realise that if the money comes, it matters not how or why. Security is optional, money is not.

CAcert might be in a good place to follow either, or both, depending on how its thoughts go... or neither, if we are distracted along a wasteful path. By this latter, I mean that it is a common practice of big incumbents to create barriers to entry, in the form of ever tighter regulatory requirements. E.g., Audit is becoming tougher not easier (see ETSI, QC, EV).

Old chinese curse:  to live in interesting times...

iang

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Archive powered by MHonArc 2.6.16.

Top of Page