|
|
|
|
|
|
by tialaramex
3130 days ago
|
|
|
CACert is a weird example because their model was completely at odds with how everybody else (yes now including Let's Encrypt) does things. CACert says this is trustworthy because you have to know somebody who knows somebody who knows somebody etcetera. The profiles with a single photo of a swimsuit wearing young woman and a generic-sounding name that say they know me from school on Facebook every few weeks can tell you what happens to that idea at scale. In contrast all the trusted public CAs (commercial or not) have a bunch of employees either directly making validation decisions according to some company policy or writing software to automatically make such decisions. In theory maybe CACert's model really could work, but what it definitely can't do is work the same way as everybody else. So it was very hard to get anyone to give them a chance, still less after they started to have internal squabbles. You are correct that gaining trust takes time, but what a conventional CA does (with the exception of maybe Verisign and Thawte which are _really_ old) is they first get an existing trusted CA else to sign a subCA certificate saying they trust the new CA. The ordinary "Let's Encrypt Authority X3" certificate is signed by IdenTrust (it says "DST Root CA X3" on it but the Digital Signature Trust no longer exists). There's another copy of the same certificate signed by ISRG, but that's only trusted in much newer software. Modern Firefox, current macOS or iOS, but not say, Internet Explorer 10 |
|
|
Well, CACert insisted on validating people but it turns out that it's not really necessary to know your customer to issue DV certs according to Baseline Requirements. Let's encrypt understood it and just did a minimal required job to be accepted (it's still a lot of work).
Instead of verifying people I'd gladly see X.509 replaced with OpenPGP w.r.t. trust model so that I could see who trusts who and why. OpenPGP has a mode of hierarchical trust with trust signatures, additionally they can be limited to a domain, that could be used to give people power to issue their own certificates for their own domains.