[Ach] StartSSL for Business Sysadmins

[Alexander Wuerstlein]

On 14-01-13 18:11, ianG <iang at iang.org> wrote:
> On 13/01/14 16:22 PM, robin.balean at a-trust.at wrote:
> > I find the CA bashing on this list a bit naive and irresponsible. 
> ...
> > Surely the ACH document should be advising that non-serious CAs be removed from these lists instead of encouraging administrators to obtain their certificates from them.
> 
> 
> Other than the delicious irony here, how do you propose to advise people
> on what that means?  I mean, in particular, what is your algorithm for
> discerning between the "non-serious" and the "serious?"

As stated previously: "commercial" vs. "free" or "cheap", so there is a price
threshold. You would just have to check the publically available list of
prices for the commercial CAs, compare to your threshold and include or
exclude. That would of course cause a price-race to the top with no
benefit except for CA profits.

The other possibilities would include doing an audit, which would be
useless unless done completely in the open (e.g. publish source code,
personel records, internal financial allocation). Otherwise you just
shift the necessity of trust from the CA to the auditor. Due to
commercial CAs being necessarily secretive, this is not an option,
unless you only want to audit CAcert. And DigiNotar showed that the
usual audits are worthless.

Or you could limit yourself to "not-for-free" and "not-cheap" CAs that
nonetheless have some kind of obligation or charter to spend all income
on operations and make no profit. In that case you could at least be
sure that the price you pay is more comparable to some "amount" of
security you buy, whatever little that may mean. Because for-profit CAs
that are expensive could just as well give all their money to their
owner/shareholders/whatever and spend nothing on fancy security beyond
their immediate audit requirements.


I guess none of that would be a sensible option.



Ciao,

Alexander Wuerstlein.