Hi :)

First of all, I'd like to stay in my "place" and not appear as arguing
as arrogant, I'm not a high level security expert, I'll just share my
knowledge and opinion :)

Well, Free (as in free beer) is not the main criterion in choosing
CAcert. Free as in freedom would be indeed one of our main criterion.

about freessl there is of course StartSSL (with some constraints,
related to subdomain, class of certificates, duration...) but also
https://www.globalsign.com/ssl/ssl-open-source/ for example which
provides free wildcard certificates for opensource project (is it so
good? http://tools.ietf.org/html/rfc6125#section-7.2 )but we don't want
absolutely a "free" as in free beer certificate, we have enough money
for renting a certificate to the CA we trust the most, or distrust the least

It is mainly the fact Cacert is based on a community (community driven
non-profit Certificate Authority), which offers both centralized and
decentralized (trusted network), which publishes its code under a free
license. In addition we have had positive feedback about CAcert and we
have already discussed with some of their admins.

Be supported by default in browsers give of course a feeling of
security, but we thought that if we limited ourselves to this criterion,
we would encourage an oligopoly of trusted authorities, some of which
have already demonstrated more than questionable practices (non
exhaustive list):


http://blog.mozilla.org/security/2011/08/29/fraudulent-google-com-certificate/
http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/
http://wikileaks.org/cable/a/09/06TUNIS2424.html
http://en.wikipedia.org/wiki/VeriSign#Controversies

One interesting discussion here
https://groups.google.com/forum/#!searchin/mozilla.dev.identity/globalsign/mozilla.dev.identity/ljcLyDGMVDA/gdbBxffZFbsJ

other intersting blog posts
https://www.globalsign.com/blog/trust-the-math-choose-your-friends-wisely.html
(I like this part " First, I want to assure you that we have never
received a request from any government to forward any key material or to
certify any keys with any identity, domain name or organization
information that was not legitimate, and if we did we would fight that
request to our fullest ability.")
http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html

Of course, as it seems using cacert certificate seems to raise some
opposition, we will not go against our community :)

I'll make a short answer too, it's a good practise :p
" It's not about the money we pay, it's about the Internet we want to
promote, but I agree that it may be a too hard battle for us"

Suggestion
"I'd like to submit the problem to Arisel (which CA to choose/trust) and
maybe we could use a balance, ie certificates from TruuustMeeee(tm)
Corporation for widely accessed webservices such as forums and blog, and
keeping Cacert Certificates for internal/team websites"





Le 26/11/2013 15:16, Jeffrey Johnson a écrit :
> On Nov 26, 2013, at 4:34 AM, Raphaël Jadot wrote:
>
>> www is still work in progress, there will be lot of improvement soon 
>> (including responsive), we're working on it, please be patient :)
>>
> The main reason for CAcert is usually that it's "free". The hidden
> cost is of course that one has to add the root certs, which isn't very
> hard on a linux machine. Identifying the myriad procedures for
> doing this on commodity/commercial hardware/software is far harder.
>
> Unlike CAcert, StartSSL root certs are delivered with browsers, and
> StarSSL (and Eddy Nigg) have always been strong supporters of
> FL/OSS development and distributions.
>
> Short answer:
>       Get a StartSSL certificate: the cost is far far less than rehashing
>       a complex advocacy issue involving what is really "free".
>
> Disclaimer:
>       I have been (may still be) both a CAcert and a StartSSL digital notary.
>
> hth
>
> 73 de Jeff
>
>> Le mar. 26 nov. 2013 09:28:05 CET, Paolo a écrit :
>>> Il 26/11/2013 04:52, Paul ha scritto:
>>> Correction...
>>>
>>>> Please disable root CACert in Forum/Wiki www.openmandriva.org.
>>>
>>> It's a little bit annoying with mobile browser.
>>>
>>>
>>> Bye,
>>> Paolo
>>>
>>>
>>>
>>>
>> --
>> Best regards, meilleures salutations
>> Raphaël Jadot
>>
>>
>

-- 
Best regards, meilleures salutations
Raphaël Jadot

Attachment: signature.asc
Description: OpenPGP digital signature



Reply via email to