From: Alex Strasheim <cp@proust.suba.com>
Date: Mon, 29 Jan 1996 03:18:10 +0800
To: cypherpunks@toad.com
Subject: Netscape, CAs, and Verisign
Message-ID: <199601281901.NAA06629@proust.suba.com>
MIME-Version: 1.0
Content-Type: text


I'm a big fan of Netscape and their products, and I think they do a good 
job of addressing the interests of their customers and the public at 
large with respect to crypto issues.

But it's starting to become apparent that there's a fairly serious problem
with Certification Authorities and SSL.

The problem is simple enough:  sites with certificates from one of the CAs
that are preconfigured in Netscape have a tremendous advantage over sites
with certs from other CAs, and it's expensive and difficult to get a cert
if you're running an alternative server like ApacheSSL. 

This problem is going to get a lot worse when X509 client authentication 
becomes more popular.

Netscape needs to address the situation.  It's just not practical or
desireable for one company (Verisign) to have a stranglehold on
certificates. 

I'd like to see a less centralized CA that's tied into the existing system
of notaries.  The idea is to make it necessary to spoof a notary in order
to spoof the CA.  That won't make spoofing the CA impossible (nothing
will), but it will make spoofing the CA illegal. 

A notary could apply to the CA for the right to work as an agent, for a
nominal fee (<$100/year).  Only notaries could be agents.  If a person
wants a certificate, they'd come in and present ID and a key to the
notary/agent.  The person would have to present a form document stating
that he's requesting the cert.  The notary would stamp the form and affix
a signature to the key which would enable it to be processed automatically
by the CA. 

Fees for the whole procedure ought to be less than $30.  The CA ought to
operate off of the fees from the agents as a non-profit organization, and
the agents ought to keep the fees paid by the people requesting the
certificates.

Would any of the lawyers on the list be willing to comment on whether or
not it's possible or practical to tie a CA into the notary system?  Does
anyone have any thoughts as to how difficult/risky spoofing my CA is
compared to spoofing Netscape or Verisign? 

I could put up a server and I think I know a laywer who would help me set
up a non-profit organiation on a shoestring, but I don't want to do it if
the plan is impractical.  

Morevover, although I don't think it's reasonable to expect Netscape to
agree to include a non-existent CA in their browsers sight unseen, at the
same time it doesn't seem smart to sink money into setting up the CA
without some indication from Netscape that they're willing to give the
idea good faith consideration.