On Nov 26, 2013, at 11:16 AM, Raphaël Jadot wrote: > Hi :) > > First of all, I'd like to stay in my "place" and not appear as arguing as > arrogant, I'm not a high level security expert, I'll just share my knowledge > and opinion :) > > Well, Free (as in free beer) is not the main criterion in choosing CAcert. > Free as in freedom would be indeed one of our main criterion. >
I was speaking of "free speech". Apologies if that isn't/wasn't clear. > about freessl there is of course StartSSL (with some constraints, related to > subdomain, class of certificates, duration...) but also > https://www.globalsign.com/ssl/ssl-open-source/ for example which provides > free wildcard certificates for opensource project (is it so good? > http://tools.ietf.org/html/rfc6125#section-7.2 ) but we don't want absolutely > a "free" as in free beer certificate, we have enough money for renting a > certificate to the CA we trust the most, or distrust the least > > It is mainly the fact Cacert is based on a community (community driven > non-profit Certificate Authority), which offers both centralized and > decentralized (trusted network), which publishes its code under a free > license. In addition we have had positive feedback about CAcert and we have > already discussed with some of their admins. > If you wish to advocate "free speech" by forcing users to load CAcert root certificates, then you will drown in complaints about CAcert from users with commodity/commercial devices. Its entirely up to you whether "free speech" advocacy is more important than simple/seamless access to web content. Bothe CAcert and Startssl are equally "secure" when the root cert is installed. > Be supported by default in browsers give of course a feeling of security, but > we thought that if we limited ourselves to this criterion, we would encourage > an oligopoly of trusted authorities, some of which have already demonstrated > more than questionable practices (non exhaustive list): > Both CAcert and Startssl are equally "secure" when the root cert is installed. There is no such thing as "... feeling of security" that is relevant. > > http://blog.mozilla.org/security/2011/08/29/fraudulent-google-com-certificate/ > http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/ > http://wikileaks.org/cable/a/09/06TUNIS2424.html > http://en.wikipedia.org/wiki/VeriSign#Controversies > > One interesting discussion here > https://groups.google.com/forum/#!searchin/mozilla.dev.identity/globalsign/mozilla.dev.identity/ljcLyDGMVDA/gdbBxffZFbsJ > > other intersting blog posts > https://www.globalsign.com/blog/trust-the-math-choose-your-friends-wisely.html > (I like this part " First, I want to assure you that we have never received a > request from any government to forward any key material or to certify any > keys with any identity, domain name or organization information that was not > legitimate, and if we did we would fight that request to our fullest > ability.") > http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html > > Of course, as it seems using cacert certificate seems to raise some > opposition, we will not go against our community :) > > I'll make a short answer too, it's a good practise :p > " It's not about the money we pay, it's about the Internet we want to > promote, but I agree that it may be a too hard battle for us" > > Suggestion > "I'd like to submit the problem to Arisel (which CA to choose/trust) and > maybe we could use a balance, ie certificates from TruuustMeeee(tm) > Corporation for widely accessed webservices such as forums and blog, and > keeping Cacert Certificates for internal/team websites" > > WORKSFORME. Note that the choice between CAcert and other FL/OSS friendly certs has been discussed many times before. hth 73 de Jeff > > > > Le 26/11/2013 15:16, Jeffrey Johnson a écrit : >> On Nov 26, 2013, at 4:34 AM, Raphaël Jadot wrote: >> >>> www is still work in progress, there will be lot of improvement soon >>> (including responsive), we're working on it, please be patient :) >>> >> The main reason for CAcert is usually that it's "free". The hidden >> cost is of course that one has to add the root certs, which isn't very >> hard on a linux machine. Identifying the myriad procedures for >> doing this on commodity/commercial hardware/software is far harder. >> >> Unlike CAcert, StartSSL root certs are delivered with browsers, and >> StarSSL (and Eddy Nigg) have always been strong supporters of >> FL/OSS development and distributions. >> >> Short answer: >> Get a StartSSL certificate: the cost is far far less than rehashing >> a complex advocacy issue involving what is really "free". >> >> Disclaimer: >> I have been (may still be) both a CAcert and a StartSSL digital notary. >> >> hth >> >> 73 de Jeff >> >>> Le mar. 26 nov. 2013 09:28:05 CET, Paolo a écrit : >>>> Il 26/11/2013 04:52, Paul ha scritto: >>>> Correction... >>>> >>>>> Please disable root CACert in Forum/Wiki www.openmandriva.org. >>>> >>>> It's a little bit annoying with mobile browser. >>>> >>>> >>>> Bye, >>>> Paolo >>>> >>>> >>>> >>>> >>> -- >>> Best regards, meilleures salutations >>> Raphaël Jadot >>> >>> >> > > -- > Best regards, meilleures salutations > Raphaël Jadot >
