Truecrypt question regarding developers... and certificate

I know there have been past discussions about their identities, which as far as I know are still unknown?

If that's still the case, there's something that has been "bothering" me, but I just never bothered asking what you think about it.

So, they are anonymous. But, their software is digitally signed for Truecrypt Foundation. If the Certificate Authority did a great job knowing who requested the certificate, then wouldn't it mean that their identities are known? Otherwise, it would mean either the CA didn't do a proper job (surprise surprise) or... something else happened?

Another thing, their certificate seems to have expired in 09-11-2012 (day-month-year).

 

As far as I know, there are at least a couple names associated with TrueCrypt.

The trademark was registered in the Czech Republic under name of “David Tesařík”, and there is allegedly a "TrueCrypt Developers Association, LC" registered in Nevada. (I have to assume LC means LLC.)

https://en.wikipedia.org/wiki/TrueCrypt#Trademarks

The point is, I do believe you have a point in that either the certificate authority either has an ID on file, or didn't do its job properly.

BUT...just because there is a name on file it doesn't mean it is a TrueCrypt developer. People have attorneys and other 3rd parties act as signing agents for these kinds of things all the time. So yeah, it's entirely possible some CA has confirmed the identity of some attorney in Nevada. *shrug*

 

It still means someone has to have their identities. While I accept the fact that attorneys/other parties act as middle men, the identities of those who are requesting the certificates need to be known to CA. The point of digitally signing an application is that, if things go bad, you can go over there and beat the developers with a bat... in theory anyway.

So, if the CA issued the certificate to some attorney/other party without doing a great job verifying the identity of those actually requesting it, then it's one more story of a failed background check.

In comparison to this, it's just like other developers, such as DiskCryptor's one, which AFAIK is also unonown , which get the certificate through ReactOS Foundation.

I want to believe that ReactOS Foundation does know his/her/theirs true identity? I mean, if for legal reasons one needs to act upon them (truecrypt, etc), how would we known who they are? That's the whole purpose of a certificate - accountability. (It should be, anyway.)

 

Depends on what you mean by "someone". I'm pretty sure nearly everyone on Earth fits the description of being a person whom "someone has to have their identity."

Um. No.

Not necessarily. I'm not a CA expert, but I wouldn't be surprised if there was at least one who accepted the concept of agency and allowed an intermediary to act on behalf of the organization obtaining the certificate.

And if not, why can't the attorney simply have his agreement with the developers, and get the DC "for himself", and just hand it over to the foundation?

1) They would take legal action against the registrant (i.e. TrueCrypt Foundation). The certificate would lead to the CA, which would identify the person(s) they vetted. Whomever that person is, he'll either be able to accept the legal notice on behalf of the defendants (as their attorney), or he'll identify them so that they might be served, or he'll bear the liability himself, as the person on file. That would be my guess.

2) The purpose of the certificate is essentially reputation. It's a way to tie software to a particular developer, so that he can establish credibility with a customer base. It has nothing to do with everyone knowing who the developer is so that they might show up at his doorstep to physically assault him with blunt objects.

 

You took the beat with a bat in a strict way. lol

Yes, that's what the certificate is for, but I've seen it as accountability, which of course also implies reputation.

One thing would be for an attorney to act as the middle man for known developers/company. Another, and very strange one IMHO, would be to act as the one requesting the certificate, and then hand it over to the unknown developers.

Also, if they're unknown, how does reputation fits in all of this? Reputation is especially important when comes to this kind of software, IMHO.

 

Well if they aren't needing to have any sort of "WHOIS Guard" kind of privacy, why do they need the agent in the first place?

It's a way to retain your privacy as individuals, and yet still have your software able to run on the most widely used operating system in the world.

It's the reputation of "The TrueCrypt Foundation". It doesn't matter who that refers to. The point is any software with that signature will be recognized and associated with all the other software with that signature. And anyone looking to formulate an opinion about a particular program's trustworthiness and stability and efficacy, will be able to make that judgement based on all the past output from that signatory.

And if a team of developers spent all this time and effort developing such a great product, and establishing their work as not only on-the-level, but also good quality...they would more than likely want to keep it that way. They would have established the reputation of the "The TrueCrypt Foundation", and they would have every incentive to keep it in good standing. This would mean they would have an interest in making sure that anything that goes out with their foundation signature is on the up and up.

Tell me...do you know the names and addresses of every single developer who had a hand in creating your OS? Or are you just trusting the reputation of some organization of "unknown" developers operating under a group name like "Microsoft" or "Apple" or some variant of "Linux"?