I am curious why this was submitted now, especially in light of the recent removal of cacert from Debian's ca-certificates package.[^1][^2] It seems that the discussion of cacert's removal highlighted serious concerns about cacert's process. A request to include cacert in mozilla's certs sat in bugzilla for four years before it was--thankfully--closed.[^3]
No serious concerns. Just the typical overly debian knee-jerk reaction to bring someone down by bullying "because we can" and not for technical merits.
There was no argumentation why cacert should be removed.
Maybe Assange was right? (I still doubt it, debian politicians are just as stupid and like to abuse their powers as any other politicians are)
You do want to support a non-commercial and community driven CA cert authority, because you don't want to rely on commercial-only cert's which are not based on technical merits, just on friendship and common business interests.
You really want a free HTTPS connection to your favorite open source projects login page, and do not force them to pay yearly CA update fees to not trustworthy cert authorities for no reason.
I thought it was a great idea for strengthening the gpg/gpg web of trust. Outside of debian there is/was very little in the way of organized efforts to improve the web of trust. However I do not think it is a great idea for browser certificates. At least not until there are serious improvements to the CA configuration UI and user education.
A community-driven effort is always commendable, but we must ditch the whole CA model, not fix it.
Proposed solution: use namecoin's .bit domains [0], add TLS records, and use dsnchain [1] as a bridge between DNS and namecoin to keep using our current applications.
The problem with a community driven CA is that there is no repercussions if it is infiltrated. If one of the commercial CAs got hacked then they would be removed as a trusted CA and their business would cease from that point on. They have a commercial interest in being secure and therefore invest lots of money in solutions to this (including expensive HSMs).
Certificates are not expensive - you can pick them up for $5.
I sell SSL certs for £35, every one of my customers could have got the exact same certificate for £5 - they pay the extra for a well designed, intuitive website that makes the process incredibly easy with great support.
Most of my customers hear about my site through word of mouth, I often give out free or cost-price certificates to Open Source software or charitable sites.
Experience shows that there are no repercussions [edit: usually no repercussions] if a commercial CA is hacked, either (or even if it intentionally issues fraudulent certificates).
[+] [-] dfc|12 years ago|reply
[^1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434
[^2]: https://lwn.net/Articles/590879/
[^3]: https://bugzilla.mozilla.org/show_bug.cgi?id=215243
[+] [-] rurban|12 years ago|reply
Maybe Assange was right? (I still doubt it, debian politicians are just as stupid and like to abuse their powers as any other politicians are)
[+] [-] lawnchair_larry|12 years ago|reply
[+] [-] rurban|12 years ago|reply
You really want a free HTTPS connection to your favorite open source projects login page, and do not force them to pay yearly CA update fees to not trustworthy cert authorities for no reason.
Currently you need to add the cacert into your keychain on some distros manually. See http://wiki.cacert.org/FAQ/ImportRootCert
[+] [-] dfc|12 years ago|reply
[+] [-] thejosh|12 years ago|reply
[+] [-] rakoo|12 years ago|reply
Proposed solution: use namecoin's .bit domains [0], add TLS records, and use dsnchain [1] as a bridge between DNS and namecoin to keep using our current applications.
Disclaimer: I participated in dnschain
[0] https://wiki.namecoin.info/index.php?title=Domain_Name_Speci...
[1] https://github.com/okTurtles/dnschain
[+] [-] null_ptr|12 years ago|reply
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
[+] [-] thejosh|12 years ago|reply
[+] [-] abritishguy|12 years ago|reply
Certificates are not expensive - you can pick them up for $5.
I sell SSL certs for £35, every one of my customers could have got the exact same certificate for £5 - they pay the extra for a well designed, intuitive website that makes the process incredibly easy with great support.
Most of my customers hear about my site through word of mouth, I often give out free or cost-price certificates to Open Source software or charitable sites.
https://www.volcanicpixels.com/ssl/buy
https://github.com/volcanicpixels/volcanicpixels/
[+] [-] wiml|12 years ago|reply