This essay does not describe an existing computer program, just one that should exist. This essay is about a suggested student project in Java programming. This essay gives a rough overview of how it might work. I have no source, object, specifications, file layouts or anything else useful to implementing this project. Everything I have prepared to help you is right here.
This project outline is not like the artificial, tidy little problems you are spoon-fed in school, when all the facts you need are included, nothing extraneous is mentioned, the answer is fully specified, along with hints to nudge you toward a single expected canonical solution. This project is much more like the real world of messy problems where it is up to you to fully the define the end point, or a series of ever more difficult versions of this project and research the information yourself to solve them.
Everything I have to say to help you with this project is written below. I am not prepared to help you implement it; or give you any additional materials. I have too many other projects of my own.
Though I am a programmer by profession, I don’t do people’s homework for them. That just robs them of an education.
You have my full permission to implement this project in any way you please and to keep all the profits from your endeavour.
Please do not email me about this project without reading the disclaimer above.
The technical aspects are not really all that difficult. Java comes with the tools you need such as keytool.exe and the JCE library.
The tricky parts of the project are financial and political, not the coding.
The secret is 100% automation of the verification process, except perhaps for a last minute check you are not selling a certificate to your arch enemy. The verification is not as strong as Thawte and Verisign guarantee.
I propose using a fully-automated verification system that piggybacks on the existing PGP (Pretty Good Privacy) digital signature system. Here is how the automated verification and certificate-issuing works.
Note that El Cheapo has no knowledge of any applicant’s private keys.
It cannot verify names and city/states except for the root domain and then it is trusting DNS records. It is just verifying email address and website name. It cannot verify the name of the certificate owner the way Thawte and Verisign can.
You must be extremely careful that no one ever gets hold of your master private keys. They must be stored on a totally isolated computer. If they were compromised, every certificate you ever issued would also be compromised.
Unlike the big certificate companies, you would not offer insurance to cover the massive damage you could cause by a slip.
You need a somewhat flaky name for the company, not quite as cheesy as El Cheapo though, to make it clear your certificates are of lesser quality than Thawte/Verisign’s, not just cheaper, e.g. Almost Free Certificates, ABC Certificates, No-name Certificates, House Brand Certificates, House Wine Certificates Yellow Box Certificates, Al’s Certificates, Acme Certificates, Ace Certificates, Bargain Basement Certificates, Generic Certificates, Just Plain Certificates, No Frills Certificates…
or go ridiculously pompous; Universal Certificates, Intergalactic Certificates, My Planet Certificates…
or hip, Down Low Certificates, Green Dog Certificates, GoBrother Certificates…
or just a bit looney Off Broadway Certificates, Certificate Seconds, Goodwill Certificates, The Vouchers, Mother’s Certificates…
The key is to pick a name that does not suggest big business as your target market. On the other hand, it can’t be so unappealing that you scare off your customers and the end users. Think hard about it. Test your candidates on people to see how they like them and would they actually accept code vouched for by such a company. Also check out the availability of matching domain names.
Oracle does not want to get the backs up of the big name certificate authorities. You want to reassure Oracle/Thawte/Verisign why your project will help them all make more money in the long run if they co-operate or leave you alone rather than if they manage to squash you. Point out that successful small software developers will later migrate to a more prestigious certificate. Without the training wheels of El Cheapo, applicants might never graduate to that. Point out that you will be training applicants in the basic procedures, making later sales to Thawte/Verisign go more smoothly with less labour costs.
Let’s say Oracle refuses. Your fallback position is to get ASP (Association of Shareware Professionals) to either front El-Cheapo or at least post their root certificates on their website. There needs to be a way of reassuring the end user that El-Cheapo is a real Certificate Authority, not something invented by hackers for nefarious purposes.
You just might get the backing of Verisign/Thawte by promising to sell out to them for $X in the event you start to cut seriously into their business. They invest nothing and stand to gain whole new generation of customers.
Let’s say Oracle still refuses. Your fallback position is to offer a service that updates root certificates for all major certificate authorities, including of course, El Cheapo.
Let’s say that’s too much work, or the other CAs (Certificate Authorities) insist you not do that.
Offer the root update service via a program you download or a JWS (Java Web Start) app not officially associated with El Cheapo. It need not even embed the root certificates, a politically thorny issue. It can get them as needed direct from the CA (Certificate Authority) website master copies.
If they won’t let you do even that, then post instructions in many places on how to update root cerebrates for the major CA companies and include El-Cheapo as if it were their peer.
You can also give applicants some text to include on their websites to instruct users how to install El Cheapo root certificates in their Java so that your El-Cheapo certificate will function properly. The text paints El-Cheapo, certificate provider to the people, as the underdog pushed aside by the greedy corporate Thawte, Verisign and Oracle. Do everything you can the take business away from Thawte and Verisign rather than passing it on up to punish them for their bullying.
You would be more believable in your protestations you are not trying to put the big CAs out of business if you owned certificates from the major certificate signing authorities. You must always be upfront to everyone about why your certificates are cheaper, to explain what you have to give up when you use an El-Cheapo certificate.
If the competition unnerves you, consider selling the idea to a company already in the low-cost certificate business, usually SSL (Secure Sockets Layer) certificates, e.g. GoDaddy.
This page is posted
Optional Replicator mirror
Your face IP:[188.8.131.52]
You are visitor number|