A better approach to security

[Benedikt Heintel <benedikt AT heintel.org>]

Coming back to the original post, I have a different proposal:

What about a form where you just enter the Name (as it is on the
Certificate) and the serial number. The script replies: Valid or not valid.

There are no privacy concerns, because no one will guess the right name
to a random serial number. It is hassle free, because you just need to
type what you see. And moreover there is no need to issue new (paper)
certificates to those already shipped.

Implementation should not be the problem. Integration ... we know how
slow the processes are at CACert.

Regards
Benedikt


Florian Hannemann wrote:
> Hi,
>
> I successfully finished the test and became a "certified assurer". So I ask 
> if I could get a printed version of it. Nice to have and if you want to 
> apply for an IT job it can't hurt if you show interest in this topic.
>
> Anyway after I got the PDF file I was a bit surprised. It hat a serial 
> number on it which was telling me how many people ask for this before I 
> did. Nothing else on it!
> OK there was a digital signature to verify the file, but after you send a 
> printed version of it to someone there is no way to verify that paper 
> document.
>
> So I ask why is there no web site where you can enter the serial number and 
> the name on the document to get a conformation?
> And the answer (in short) was "You know there was a plan to do it, but 
> there was also some privacy issues."
>
> OK now here is my idea how to make it possible to send out a document, 
> which can be verified by anyone who has it in his hand and is able to 
> access a web site.
>
> 1) Put a random number on it, which replaces the serial number. And print 
> the URL to verify the certificate also on it.
> 2) Create a database which contains only the name and the corresponding 
> serial number of the issued "certified assurer" certificates. 
> 3) Create a web site which is can be accessed by everyone who want to 
> verify the document. To get a simple "this certificate is valid" or "Sorry, 
> these entries doesn't correspond to any certificate in our database, please 
> check for typing errors" output, the person has to enter the name and the 
> serial number from that document.
>
> I chose a random serial number to hide how may people ask for this 
> certificate. First of all the number of people who ask for this document is 
> smaller than the actual number of people who are "certified assurer", so it 
> is confusing (or from some points of view simply wrong) anyway. And 
> secondary to make it harder for a data mining processes.
> The random number could also include a hash of the name of the owner or 
> other information. I saw this already on similar documents from other 
> organisations, and I try to get a more professional look for this CAcert 
> document with this.... sorry but I really try to avoid the term of "ID 
> number for the certificate document" here.
> But this number should also be short, to avoid typing errors and make it 
> unnecessary hard for someone who want to validate the document.
>
> Another additional idea is to include the date of the last successfully 
> finished "certified assurer test" to the output of that request. That could 
> be interesting because the certificate could be several years old, but the 
> owner still keep himself up to date. So there would be no need to send out 
> new certificates over and over again.
>
> The main goal of the whole idea is to allow someone to verify this document 
> even if it changed the medium e.g. to paper or if this certificate is used 
> in format that can't be signed or lost the signature somehow.
> To avoid privacy problems the testing person has to enter the name and a 
> document number.
> The confirmation should not include the name, email address or any 
> additional information about the certificate owner. Just a good old boolean 
> answer.
> Since the certificate is only send to people who want to do something with 
> it (e.g. us it for a job application) and not to everyone who is (or 
> becomes) a "certified assurer" the privacy issue of everyone else is not 
> involved. And even for the one who are involved it is minimised to 
> information the guy you who hold the printed document in his hands got 
> already. The privacy problem could be further reduced by letting the user 
> decide by them self, if they want to make it possible to validate their 
> certificate documents via web interface or not. This could be done on the 
> same web page where you can add email addresses, domains or PGP keys.
> In addition it should be possible to download the certificate from the page 
> where you can see your own points.
>
> I know this whole certificate is more or less a "just for fun" thing, but 
> why shouldn't it be used for something professional? And this simple idea 
> could lift this certificate to a sort of professional level.
> And all of this should be able to implement without a lot of work with the 
> existing infrastructure.
>
> cu Florian
>
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature