This is Perry's department, so don't blame the other Cynics. They were forced to go along. In fact, I didn't even ask them.
So Why Did I Do it?Out of a combination of reckless exuberance and calm deliberation. I have several reasons, some of them good and some others merely interesting:
- I want control over my own software. That means I want to determine myself exactly how my certificates look, what they say, how they are controlled, and what they mean. If there's a problem, I want to be able to fix it without having to trust some company's quality control department. If I have to go through the process a dozen times to get it just right, I want to be able to do this without paying through the nose. No commercial Certificate Authority I know offers me this.
- I don't see what value I'm getting for buying certificates from the current crop of commercial Certificate Authorities. Far from any real certification, what they seem to offer is pre-arranged access to other people's browser desktops - a classic case of rent seeking.
- I detest Verisign's business model and practices with an intensity that I once reserved for Microsoft. Come to think of it, they smell more and more alike. I certainly don't want to do business with them; and they have bought most of their former competition, or driven them out of business.
- I believe that the X509 standard has become tainted with the centralized approval model imposed on it by the corporations that control its implementation. Rather than give in to their centralized control, or adopt PGP and abandon the X509 field to them, I want to put my own small stake into the ground to show that the X509 certificate model can be usefully and viably used without them.
- I like complicated systems. It's fun. No, really.
How Did I Do It?It wasn't that hard, really. The people working on OpenSSL did all the hard work. I just put together a few dozen shell scripts, a few hours of design and testing, and some research - some interesting, some tedious - to make a certificate authority (CA) package good enough for us. It's not industry strength - it doesn't have the performance to manage tens of thousands of certificates, and it has no
public face, almost no web view. But that suits me perfectly, because it ensures that I manually sign and revoke each certificate, hopefully after considering what I'm doing.
What's With That Cyberspace Thing in Your Certificates?X509 requires that each certificate be tied to a distinguished name, which is made up of hierarchical geographic fields such as country, organizations, and so on. That works okay for people and perhaps legal entities, but hardly means anything for more abstract entities. So I just decided to locate my signing certificate in a state called Cyberspace. This should really not unduly disturb you.
Isn't This a Bit Overdone?Well, yeah, I suppose so. But much of the madness has method. For example, the separation between root and signing keys means that the root key is only used about once a year and can thus be kept completely offline. The signing key is used more often, but if it gets compromised, I can get the root key to securely revoke it. This extra level of indirection also allows for clean separation between our certificates and any that are issued to third parties.
Anyway, I don't pay by the certificate, and all my certificates are first class and just as good as I can make them. The current arrangement allows for easy and flexible expansion, and who cares if the computers have to work a bit harder? Surely not I.
This arrangement also leaves you with a very flexible choice for your granularity of trust. The higher in the hierarchy you place your trust, the more certificates you automatically include in your trust.