CAcert Auditor Resigned

This is a long story. There is a not-for-profit certification authority, CAcert, with the idea to apply the "web of trust" to a public key infrastructure. This is a good idea, as many security issues boil down to getting people's identities and having a large network of assurers checking people's IDs and passports is still at least as good as having a large corporation check that someone has access to somebody's email (and oldstyle-mailbox, if done a little more securely).

However, they want their certificate in the default installation of popular browsers, in particular firefox. This requires a security audit. And this means that they have to have the "Infrastructure" in PKI audited, which is extremely painful and led me to the trigger of this post. Some days ago, their auditor has resigned.

The quick way out of this is to say "PKI is too complex" and send people back to classic web of trust. I don't think so. PKI is worth it's complexity if it comes to longterm operation. I should think of a way to help beyond making an assurance here and there (I'm humble number 1592 on their assurer list).