[lug] htpasswd security

Bear Giles bgiles at coyotesong.com
Wed Mar 5 11:49:44 MST 2003 

Peter Hutnick wrote:
> Absolutely not.  Here is the deal.  You make a certificate.  All the
> encryption is based on that cert.  You then either sign it yourself, or
> pay to have a so-called CA (certificate authority) sign it.  What you are
> buying is their promise to third parties that your cert really belongs to
> you.

A number of us are working on free (both ways) or low-cost CAs. 
The reason for the "low cost" is that email-only certs only get 
you so far, with a nominal credit card charge the CA can verify 
your name and address for a much more credible cert since the CA 
can provide some level of assurance about the accuracy of the 
information.  With some cash flow they can also afford to pay for 
real security. :-)

The reason BeastMark (mine) is an over-engineered monster compared 
to the others is because I want it to work with installers and 
third-party RAs.

"Installers" means that you could install a Debian or RedHat 
package that is smart enough to scan your package list, answer a 
few question, and then acquire and install a dozen server 
certificates throughout your system.

"Third-party registration authorities" means that BLUG, say, could 
decide to issue personal certificates to members so they could 
prove their membership, send secret messages to each other, access 
a secure web site that requires client certs, whatever.  All they 
need to do is write a JMS "registration authority" and subscribe 
to the BeastMark message server.  The BLUG RA would then be able 
to provide profiles (think blank certificate requests) via all 
interfaces, and approve certificates for their members.

To me, it's the latter service that will make CAs useful. I really 
don't care whether Verisign says some unknown bozo has managed to 
get a certificate.  Aren't they the same company that routinely 
transfers domains to the wrong party (the "sex.com" case being the 
most notorious)?  On the other hand, if some group I routinely 
deal with vouches for somebody that means a lot more to me.

You can do this today... if you have a spare $100k (or thereabout) 
burning a hole in your pocket.  (The CA is actually bundled with 
something else, that's not the cost of the CA itself.)

Bear

More information about the LUG mailing list