Mark: On Thu, Sep 18, 2008 at 11:37 AM, Mark J. Reed <[EMAIL PROTECTED]> wrote: > On Thu, Sep 18, 2008 at 11:09 AM, Marc Girod <[EMAIL PROTECTED]> wrote: >> This is recent, isn't it? >> I must have been able to sign in already in the past... >> Maybe not more recently than a bit less than one year ago. > > The change is Firefox 3, which is much pickier about such things than Firefox > 2. Indeed. You can still add it to the certificate store in Firefox 3, but it's a few more clicks and harder to dismiss. The intent of this is to make people actually think about that stuff before they just accept it, and thereby hopefully prevent Man-in-the-Middle type attacks, especially for high-security sites like banks. > >> P.S. Shouldn't this be a FAQ? > > Probably. > >> Or would that be a security hole? > > The fact that the cert is self-signed is a security hole, since it > potentially allows traffic to be intercepted by a third party; but > writing up a FAQ entry on it wouldn't make the hole any bigger. > > So what would it take to get a real cert going? It looks like a > minimally-verified (proven ownership of the domain name) SSL cert is > about $50/year. As I mentioned, CAcert certificates are free and anyone with a Certificate of Incorporation for the organization (CPAN) can get an Organizational Certificate, among other great things. But the problem is that you have to manually add the CAcert Root certificates. This is trivial and supported in many browsers, but it would require an FAQ entry to teach people how to add it.
They are working toward getting the root certificates (at least the Class 3, higher-trusted type) into Firefox and other browsers. Last I heard, the Firefox team is still reviewing it. But it does come default in the "ca-certificates" package on Debian now. In short - I think using a CAcert certificate would be significantly better than the current system, and I would encourage them to do so. > I know this came up in another thread recently, but > I didn't see an ansewr: who foots the bill for CPAN's domain > registration? > The person that runs CPAN - though I once sent him an email and never received a response: Yours Eclectically, The Self-Appointed Master Librarian (OOK!) of the CPAN Jarkko Hietaniemi [EMAIL PROTECTED] [Disclaimer] Also it was mentioned, also from the CPAN home page, the master site is hosted by FUNET: http://www.csc.fi/english/institutions/funet_en/index_html But the certificate itself is signed by Best Practical Solutions, so I imagine they are the ones running the Request Tracker (being the ones that wrote the software and provide support for it to enterprise users). Their web site is http://bestpractical.com/ - if someone would take the initiative to contact them about it, they may be able to find a solution. > > > > > -- > Mark J. Reed <[EMAIL PROTECTED]> >
