robbat2: (Default)

I'd like to thank the relevant parties (*waves at StartCom*) for bringing an important correction to my notice.

I previously followed somebody else's summary of the Mozilla CACert inclusion battle, rather than reading the 135 entries on the official Mozilla bug for the matter. More importantly, their summary unfortuntely lead me to make a bad conclusion (probably aided by a lack of sleep on my part when writing up my presentation on the morning of BarCamp, due to the cold, hard, concrete floors), which was the statement "CACert audit by 'We!' funded by StartCom".

This was brought to my attention this morning, and I slogged through the bug mentioned as well as other sources, and found that StartCom was audited by We! Consulting, and the same was only suggested for CACert. According to one source that commented on my previous post, CACert refused We! Consulting, but I can find nothing else to back up that statement. However, I do find nothing to indicate that they presently have anybody lined up to audit them. I'd like to repeat that for good measure however - CACert is not being audited presently, nor is any audit of them being funded by StartCom.

Some other research on the matter provides the following links from the CACert wiki, which include a TODO list on CACert's audit process (in short - not yet, there's still paperwork on CACert's side in the way); as well as an invitation page listing CACert's criterion for an auditor.

robbat2: (Default)

[Edit: Please see the corrections regarding the CACert Audit posted here.]

This is the outline version of my Powerpoint presentation, created using information from the CACert site and wiki.

Title: CACert - Verified SSL without paying Verisign
  • Facets
    • History
    • Verification
    • CACert point system
    • Integration
    • Assurance time!
  • History
    • Thawte
      • Web-of-Trust
      • Notaries
      • Things killed by Verisign
  • Verification
    • Why?
      • Identity implications
      • Legal requirements
      • Trying to avoiding Verisign-like screwups
    • PGP/GnuPG keysigning
      • Checking IDs
      • (Known-data|shared secret) exchange
    • CACert
      • Keysigning process + point allocation
  • CACert point system
  • Integration (why doesn’t it work in my browser right now?)
    • Already in most Linux distributions
    • IE: Microsoft requirements
      • WebTrust audit
        • $75K USD upfront, $10K USD yearly
      • Not likely to happen soon
    • Mozilla requirements
      • Audit by any suitable company
      • CACert audit by ‘We!’ funded by StartCom
  • Assurance time!
    • Quick guide to filling out the form
    • Circulate!
robbat2: (Default)
For the geeks and security-conscious amongst us, there will be a PGP keysigning event here in Vancouver. September 1st, 7pm. I will be attending, as will a notary on the Gossamer Spider Web of Trust (GSWoT) and an OpenCA Assurer.

Think Coffee Lounge & Bistro
4512 10th Avenue West,
Vancouver, BC V6R2J1
(604) 228-9510

Please see for further details and instructions of things that must be done before attending.

Please circulate this announcement amongst anybody you know that uses PGP.

May 2017

141516171819 20


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags