![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Today I got up early and joined some Canton friends for a seven-hour excursion for lunch in Columbus. Why?
We went to meet Duane Groth, president of the CAcert board.
CAcert is a project intended to apply a strict form of the PGP-style "community web of trust" model to SSL-style (X.509) certificates, rather than paying someone like Verisign or Thawte to sign your certificates. CAcert uses a point system: people get points by being "assured" (having their identity verified) by someone with enough points to have that power. Normally you get up to 35 points for being assured by one person, and once you accumulate 150 points you can assure other people. (There are also certificate-related benefits available depending on the number of points you have.)
Duane is on an extended leave from Australia to tour the U.S. promoting CAcert and seeding the system by creating new Assurers. As a board member, he has the power to award 150 points to a person all at once, immediately making that person an authorized assurer, who is then able to award up to 35 points per authenticated person. (I like to think of it as a bit like getting your PGP key signed by Phil Zimmerman, though the web-of-trust models work a bit differently. Which made me wonder,![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
stega did you ever get a PGP key signed by Zimmerman before fleeing his company?)
So now I am authorized to authenticate people and award up to 35 points to them, as are the other people I went with. (As I write this I am among a total of 1775 authorized CAcert assurers in the world, and 23260 verified users in the system.) I can also create assured client certificates, code signing certificates, and server certificates. The only problem is that today's SSL client software does not yet trust CAcert by default; the CAcert root certificate must be imported and trusted. Apparently it would cost $75000 plus $10000/year to get it into Internet Explorer (far outside CAcert's budget), but they are working on getting it into Mozilla/Firefox.
We went to meet Duane Groth, president of the CAcert board.
CAcert is a project intended to apply a strict form of the PGP-style "community web of trust" model to SSL-style (X.509) certificates, rather than paying someone like Verisign or Thawte to sign your certificates. CAcert uses a point system: people get points by being "assured" (having their identity verified) by someone with enough points to have that power. Normally you get up to 35 points for being assured by one person, and once you accumulate 150 points you can assure other people. (There are also certificate-related benefits available depending on the number of points you have.)
Duane is on an extended leave from Australia to tour the U.S. promoting CAcert and seeding the system by creating new Assurers. As a board member, he has the power to award 150 points to a person all at once, immediately making that person an authorized assurer, who is then able to award up to 35 points per authenticated person. (I like to think of it as a bit like getting your PGP key signed by Phil Zimmerman, though the web-of-trust models work a bit differently. Which made me wonder,
stega did you ever get a PGP key signed by Zimmerman before fleeing his company?)So now I am authorized to authenticate people and award up to 35 points to them, as are the other people I went with. (As I write this I am among a total of 1775 authorized CAcert assurers in the world, and 23260 verified users in the system.) I can also create assured client certificates, code signing certificates, and server certificates. The only problem is that today's SSL client software does not yet trust CAcert by default; the CAcert root certificate must be imported and trusted. Apparently it would cost $75000 plus $10000/year to get it into Internet Explorer (far outside CAcert's budget), but they are working on getting it into Mozilla/Firefox.
geeky
(no subject)
No, he didn't sign it, but he did want me to fix his personal servers.
Funny story: for 8 months after I left my key was up on the keyserver.pgp. I had to leave it up there or the thing would die, as the daemon check scripts checked for my key using GPG. If the server failed to return a response, it would be restarted (a poor man's way to deal with a data base spec'd to hold a maximum of 100K keys but in reality was carrying several million.) I told people there they need to fix the issue (before and I after I left) but no one listened. I just kept getting paged every time the thing had issues. When I submitted bills for the time/notifications they refused to pay me. I charged them $100 for every unwanted message and there were other charges mixed in for things like their ISPs calling me on Sundays because lines were down (this was after I had left.)
Now, it looks like kharma may be spinning my way. More details on that later.