Hi :) First of all, I'd like to stay in my "place" and not appear as arguing as arrogant, I'm not a high level security expert, I'll just share my knowledge and opinion :)
Well, Free (as in free beer) is not the main criterion in choosing CAcert. Free as in freedom would be indeed one of our main criterion. about freessl there is of course StartSSL (with some constraints, related to subdomain, class of certificates, duration...) but also https://www.globalsign.com/ssl/ssl-open-source/ for example which provides free wildcard certificates for opensource project (is it so good? http://tools.ietf.org/html/rfc6125#section-7.2 )but we don't want absolutely a "free" as in free beer certificate, we have enough money for renting a certificate to the CA we trust the most, or distrust the least It is mainly the fact Cacert is based on a community (community driven non-profit Certificate Authority), which offers both centralized and decentralized (trusted network), which publishes its code under a free license. In addition we have had positive feedback about CAcert and we have already discussed with some of their admins. Be supported by default in browsers give of course a feeling of security, but we thought that if we limited ourselves to this criterion, we would encourage an oligopoly of trusted authorities, some of which have already demonstrated more than questionable practices (non exhaustive list): http://blog.mozilla.org/security/2011/08/29/fraudulent-google-com-certificate/ http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/ http://wikileaks.org/cable/a/09/06TUNIS2424.html http://en.wikipedia.org/wiki/VeriSign#Controversies One interesting discussion here https://groups.google.com/forum/#!searchin/mozilla.dev.identity/globalsign/mozilla.dev.identity/ljcLyDGMVDA/gdbBxffZFbsJ other intersting blog posts https://www.globalsign.com/blog/trust-the-math-choose-your-friends-wisely.html (I like this part " First, I want to assure you that we have never received a request from any government to forward any key material or to certify any keys with any identity, domain name or organization information that was not legitimate, and if we did we would fight that request to our fullest ability.") http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html Of course, as it seems using cacert certificate seems to raise some opposition, we will not go against our community :) I'll make a short answer too, it's a good practise :p " It's not about the money we pay, it's about the Internet we want to promote, but I agree that it may be a too hard battle for us" Suggestion "I'd like to submit the problem to Arisel (which CA to choose/trust) and maybe we could use a balance, ie certificates from TruuustMeeee(tm) Corporation for widely accessed webservices such as forums and blog, and keeping Cacert Certificates for internal/team websites" Le 26/11/2013 15:16, Jeffrey Johnson a écrit : > On Nov 26, 2013, at 4:34 AM, Raphaël Jadot wrote: > >> www is still work in progress, there will be lot of improvement soon >> (including responsive), we're working on it, please be patient :) >> > The main reason for CAcert is usually that it's "free". The hidden > cost is of course that one has to add the root certs, which isn't very > hard on a linux machine. Identifying the myriad procedures for > doing this on commodity/commercial hardware/software is far harder. > > Unlike CAcert, StartSSL root certs are delivered with browsers, and > StarSSL (and Eddy Nigg) have always been strong supporters of > FL/OSS development and distributions. > > Short answer: > Get a StartSSL certificate: the cost is far far less than rehashing > a complex advocacy issue involving what is really "free". > > Disclaimer: > I have been (may still be) both a CAcert and a StartSSL digital notary. > > hth > > 73 de Jeff > >> Le mar. 26 nov. 2013 09:28:05 CET, Paolo a écrit : >>> Il 26/11/2013 04:52, Paul ha scritto: >>> Correction... >>> >>>> Please disable root CACert in Forum/Wiki www.openmandriva.org. >>> >>> It's a little bit annoying with mobile browser. >>> >>> >>> Bye, >>> Paolo >>> >>> >>> >>> >> -- >> Best regards, meilleures salutations >> Raphaël Jadot >> >> > -- Best regards, meilleures salutations Raphaël Jadot
signature.asc
Description: OpenPGP digital signature
