What Verisign-free CAs are left?

Not knowing which companies have been assimilated by Verisign...
what respectable organizations out there do personal certificates?
Preferably a company whose root certificates are already installed
with common products like Firefox. Such a company need not be free
-- I already know of CAcert.org.

Given the utter contempt for Verisign one finds in some quarters, I'm
surprised I wasn't able to find a FAQ with such a list (or a pointer
to one).

--
Gregory Pratt gp@panix.com
East Rutherford, NJ, USA http://www.panix.com/~gp/
"The only good spammer is a dead spammer."
PGP Key Fingerprint: DC60 FCDE 91E2 3D41 91A3 45DB B474 3D3A 3621 AAFE

Re: What Verisign-free CAs are left?

Greg Pratt wrote:
> Not knowing which companies have been assimilated by Verisign...
> what respectable organizations out there do personal certificates?

CERN Higher Education Root
Deutsche Telekom Root CA
POSTEN.pl
Microsoft Secure Server Authority (doesn't apply to your scenario)
DFN (Deutsches Forschungsnetz)
Staat der Nederlanden
TS TrustCenter (insolvent)
Equifax Secure eBusiness (not any more, have been bought by GeoTrust)

> Preferably a company whose root certificates are already installed
> with common products like Firefox.

That's the problem: All preinstalled CAs are either untrustworthy
because of lax services or because they're scumbags by not applying
their secure services policies properly. And sometimes additionally by
company (like AOL/Time Warner).

> Such a company need not be free -- I already know of CAcert.org.

Exactly. CAcert doesn't do comprehensive checking, but at least they're
free and no scumbags at the same time. Comodo, Entrust, RSA and
ValiCert's free services are trustable as well, at least up to the low
limits of the lax policies.

> Given the utter contempt for Verisign one finds in some quarters, I'm
> surprised I wasn't able to find a FAQ with such a list (or a pointer
> to one).

In de.comp.security.misc we've already been discussion the subject about
trusted CAs. A safe whitelist is seen above, but none of these is
included in any webbrowser. Short: SSL in webbrowsers sucks.

Re: What Verisign-free CAs are left?

Sebastian Gottschalk writes:
>Greg Pratt wrote:
>> Not knowing which companies have been assimilated by Verisign...
>> what respectable organizations out there do personal certificates?

>CERN Higher Education Root
>Deutsche Telekom Root CA
>POSTEN.pl
>Microsoft Secure Server Authority (doesn't apply to your scenario)
>DFN (Deutsches Forschungsnetz)
>Staat der Nederlanden
>TS TrustCenter (insolvent)
>Equifax Secure eBusiness (not any more, have been bought by GeoTrust)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^

Which has been bought by Verisign.

We're just waiting to see how high GeoTrust's cert prices go up after
Verisign takes over fully, and if we can gauge Thawte's price
increases simularly.

Re: What Verisign-free CAs are left?

Doug McIntyre wrote:
> Sebastian Gottschalk writes:
>> Greg Pratt wrote:
>>> Not knowing which companies have been assimilated by Verisign...
>>> what respectable organizations out there do personal certificates?
>
>> CERN Higher Education Root
>> Deutsche Telekom Root CA
>> POSTEN.pl
>> Microsoft Secure Server Authority (doesn't apply to your scenario)
>> DFN (Deutsches Forschungsnetz)
>> Staat der Nederlanden
>> TS TrustCenter (insolvent)
>> Equifax Secure eBusiness (not any more, have been bought by GeoTrust)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^
>
> Which has been bought by Verisign.

Doesn't matter, they've been very scummy scumbags before. They were even
proud of having been able to circumvented their own policies in an auditing.

> We're just waiting to see how high GeoTrust's cert prices go up after
> Verisign takes over fully, and if we can gauge Thawte's price
> increases simularly.

Thawte isn't very trustable either, you can get almost any eMail
certificate from them, even at the highest trust level, without even
revealing your identity.

Re: What Verisign-free CAs are left?

In article <4fbn2rF1igiivU2@news.dfncis.de>,
Sebastian Gottschalk wrote:
>Doug McIntyre wrote:
>> Sebastian Gottschalk writes:
>>> Greg Pratt wrote:
>>>> Not knowing which companies have been assimilated by Verisign...
>>>> what respectable organizations out there do personal certificates?
>>
>>> CERN Higher Education Root
>>> Deutsche Telekom Root CA
>>> POSTEN.pl
>>> Microsoft Secure Server Authority (doesn't apply to your scenario)
>>> DFN (Deutsches Forschungsnetz)
>>> Staat der Nederlanden
>>> TS TrustCenter (insolvent)
>>> Equifax Secure eBusiness (not any more, have been bought by GeoTrust)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^
>>
>> Which has been bought by Verisign.
>
>Doesn't matter, they've been very scummy scumbags before. They were even
>proud of having been able to circumvented their own policies in an auditing.

They're also known spammers. They were kicked out of a data center 2-3
years ago after I (along with many others, I suspect) reported them to
their colo provider. I was pretty impressed.

I wouldn't touch them whether they were owned by Verisign or not.

--
Gregory Pratt gp@panix.com
East Rutherford, NJ, USA http://www.panix.com/~gp/
"The only good spammer is a dead spammer."
PGP Key Fingerprint: DC60 FCDE 91E2 3D41 91A3 45DB B474 3D3A 3621 AAFE

Re: What Verisign-free CAs are left?

What Verisign-free CAs are left? Well... The ones inside the 28% market
share that Verisign has not yet secured.

Kind regards
Ludovic

PS: Thawte=Verisign

http://news.netcraft.com/archives/2006/05/17/verisign_to_buy _geotrust_combining_top_ssl_providers.html

Re: What Verisign-free CAs are left?

Sebastian Gottschalk wrote:

> Thawte isn't very trustable either, you can get almost any eMail
> certificate from them, even at the highest trust level, without even
> revealing your identity.

Actually, I haven't found that at all. After numerous calls to/from South
Africa and their U.S. sales representative, who is brutal at returning phone
calls, we finally got our certificate. Had to jump through a few hoops along
the way. The verified everything like they were giving a merchant account.

A cheap $20 GoDaddy certificate isn't root-level, but it requires no
identification at all beyond a credit card. Takes five minutes to get. And
most customers using an SSL website with one will never be the wiser.

--
Quel-y is bangpath(at)sent.as ... remove NOSPAM when e-mailing a reply

Re: What Verisign-free CAs are left?

Quel-y wrote:
> Sebastian Gottschalk wrote:
>
>> Thawte isn't very trustable either, you can get almost any eMail
>> certificate from them, even at the highest trust level, without even
>> revealing your identity.
>
> Actually, I haven't found that at all.

I said "you can", not "you will always". Of course such things happened
in clear violation of their policies, but this is not acceptable for any
default trusted root-CA.

> A cheap $20 GoDaddy certificate isn't root-level, but it requires no
> identification at all beyond a credit card. Takes five minutes to get. And
> most customers using an SSL website with one will never be the wiser.

Point taken. SSL certs today are only good for surpressing warnings on
the client.

>
> --
> Quel-y is bangpath(at)sent.as ... remove NOSPAM when e-mailing a reply

Re: What Verisign-free CAs are left?

Sebastian Gottschalk wrote:

>>A cheap $20 GoDaddy certificate isn't root-level, but it requires no
>>identification at all beyond a credit card. Takes five minutes to get. And
>>most customers using an SSL website with one will never be the wiser.
>
>
> Point taken. SSL certs today are only good for surpressing warnings on
> the client.

Would spending the $20 make it look any more authorative to a casual
observer than getting a mate to sign one? Would there be a warning
issued if using Internot Exploiter about not being trusted etc?

I set up a site for a mate and did a simple self-sign (I was going to
get Mickey Mouse to sign it, but then thought copyright might be an
issue!) But I'm interested if GoDaddy has any advantages over a
self-signed one.

The name 'GoDaddy' seems a bit of an inappropriate choice to give a
feeling of authority (it sounds a bit childish), but that aside, does it
offer anything?

The GoDaddy site says it's 99% browser compatible - what does that
actually mean?


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

http://witm.sourceforge.net/ (Web based Mathematica front end)

Re: What Verisign-free CAs are left?

Dave (from the UK) wrote:

>> Point taken. SSL certs today are only good for surpressing warnings on
>> the client.
>
> Would spending the $20 make it look any more authorative to a casual
> observer than getting a mate to sign one?

It would raise the level of trust, yes.
Would it look more authorative? Well, about how many users even read
screen messages, yet do now what SSL is good for?

> Would there be a warning
> issued if using Internet Exploiter about not being trusted etc?

Dunno, is the GoDaddy root cert in IE by default?

> I set up a site for a mate and did a simple self-sign (I was going to
> get Mickey Mouse to sign it, but then thought copyright might be an
> issue!)

Copyright on Mickey Mouse has ceased back in 1999, the lawful defense of
Diney to extend the copyright period was dismissed in 2001.

> But I'm interested if GoDaddy has any advantages over a self-signed one.

If the root cert is in your webbrowser, then you'll suppress the warning.

> The GoDaddy site says it's 99% browser compatible - what does that
> actually mean?

Why do you expect it to mean something? :-)

Re: What Verisign-free CAs are left?

In article <4fbn2rF1igiivU2@news.dfncis.de>,
Sebastian Gottschalk wrote:
>Thawte isn't very trustable either, you can get almost any eMail
>certificate from them, even at the highest trust level, without even
>revealing your identity.

Those alleged shortcomings aside, Thawte is owned by Verisign
(since 2000). No, thank you.

--
Gregory Pratt gp@panix.com
East Rutherford, NJ, USA http://www.panix.com/~gp/
"The only good spammer is a dead spammer."
PGP Key Fingerprint: DC60 FCDE 91E2 3D41 91A3 45DB B474 3D3A 3621 AAFE

Re: What Verisign-free CAs are left?

In article , I (Greg Pratt) wrote:
>Not knowing which companies have been assimilated by Verisign...
>what respectable organizations out there do personal certificates?
>Preferably a company whose root certificates are already installed
>with common products like Firefox. Such a company need not be free
>-- I already know of CAcert.org.
>
>Given the utter contempt for Verisign one finds in some quarters, I'm
>surprised I wasn't able to find a FAQ with such a list (or a pointer
>to one).

The somewhat confused answers I got made me realize that perhaps I
framed the wrong question. Let me try this again.

What CAs out there *ARE* owned by Verisign?

A good answer to that question would at least help give me a shorter
list of "possibly good" CAs to check out.

--
Gregory Pratt gp@panix.com
East Rutherford, NJ, USA http://www.panix.com/~gp/
"The only good spammer is a dead spammer."
PGP Key Fingerprint: DC60 FCDE 91E2 3D41 91A3 45DB B474 3D3A 3621 AAFE