On Nov 26, 2013, at 11:16 AM, Raphaël Jadot wrote:

> Hi :)
> 
> First of all, I'd like to stay in my "place" and not appear as arguing as 
> arrogant, I'm not a high level security expert, I'll just share my knowledge 
> and opinion :)
> 
> Well, Free (as in free beer) is not the main criterion in choosing CAcert. 
> Free as in freedom would be indeed one of our main criterion.
> 

I was speaking of "free speech". Apologies if that isn't/wasn't clear.

> about freessl there is of course StartSSL (with some constraints, related to 
> subdomain, class of certificates, duration...) but also 
> https://www.globalsign.com/ssl/ssl-open-source/ for example which provides 
> free wildcard certificates for opensource project (is it so good? 
> http://tools.ietf.org/html/rfc6125#section-7.2 ) but we don't want absolutely 
> a "free" as in free beer certificate, we have enough money for renting a 
> certificate to the CA we trust the most, or distrust the least
> 
> It is mainly the fact Cacert is based on a community (community driven 
> non-profit Certificate Authority), which offers both centralized and 
> decentralized (trusted network), which publishes its code under a free 
> license. In addition we have had positive feedback about CAcert and we have 
> already discussed with some of their admins.
> 

If you wish to advocate "free speech" by forcing users to load CAcert root 
certificates,
then you will drown in complaints about CAcert from users with 
commodity/commercial
devices.

Its entirely up to you whether "free speech" advocacy is more important than
simple/seamless access to web content.

Bothe CAcert and Startssl are equally "secure" when the root cert is installed.

> Be supported by default in browsers give of course a feeling of security, but 
> we thought that if we limited ourselves to this criterion, we would encourage 
> an oligopoly of trusted authorities, some of which have already demonstrated 
> more than questionable practices (non exhaustive list):
> 

Both CAcert and Startssl are equally "secure" when the root cert is installed.
There is no such thing as "... feeling of security" that is relevant.

> 
> http://blog.mozilla.org/security/2011/08/29/fraudulent-google-com-certificate/
> http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/
> http://wikileaks.org/cable/a/09/06TUNIS2424.html
> http://en.wikipedia.org/wiki/VeriSign#Controversies
> 
> One interesting discussion here 
> https://groups.google.com/forum/#!searchin/mozilla.dev.identity/globalsign/mozilla.dev.identity/ljcLyDGMVDA/gdbBxffZFbsJ
> 
> other intersting blog posts
> https://www.globalsign.com/blog/trust-the-math-choose-your-friends-wisely.html
> (I like this part " First, I want to assure you that we have never received a 
> request from any government to forward any key material or to certify any 
> keys with any identity, domain name or organization information that was not 
> legitimate, and if we did we would fight that request to our fullest 
> ability.")
> http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html
> 
> Of course, as it seems using cacert certificate seems to raise some 
> opposition, we will not go against our community :)
> 
> I'll make a short answer too, it's a good practise :p 
> " It's not about the money we pay, it's about the Internet we want to 
> promote, but I agree that it may be a too hard battle for us"
> 
> Suggestion
> "I'd like to submit the problem to Arisel (which CA to choose/trust) and 
> maybe we could use a balance, ie certificates from TruuustMeeee(tm) 
> Corporation for widely accessed webservices such as forums and blog, and 
> keeping Cacert Certificates for internal/team websites"
> 
> 

WORKSFORME. Note that the choice between CAcert and other FL/OSS
friendly certs has been discussed many times before.


hth

73 de Jeff

> 
> 
> 
> Le 26/11/2013 15:16, Jeffrey Johnson a écrit :
>> On Nov 26, 2013, at 4:34 AM, Raphaël Jadot wrote:
>> 
>>> www is still work in progress, there will be lot of improvement soon 
>>> (including responsive), we're working on it, please be patient :)
>>> 
>> The main reason for CAcert is usually that it's "free". The hidden
>> cost is of course that one has to add the root certs, which isn't very
>> hard on a linux machine. Identifying the myriad procedures for
>> doing this on commodity/commercial hardware/software is far harder.
>> 
>> Unlike CAcert, StartSSL root certs are delivered with browsers, and
>> StarSSL (and Eddy Nigg) have always been strong supporters of
>> FL/OSS development and distributions.
>> 
>> Short answer:
>>      Get a StartSSL certificate: the cost is far far less than rehashing
>>      a complex advocacy issue involving what is really "free".
>> 
>> Disclaimer:
>>      I have been (may still be) both a CAcert and a StartSSL digital notary.
>> 
>> hth
>> 
>> 73 de Jeff
>> 
>>> Le mar. 26 nov. 2013 09:28:05 CET, Paolo a écrit :
>>>> Il 26/11/2013 04:52, Paul ha scritto:
>>>> Correction...
>>>> 
>>>>> Please disable root CACert in Forum/Wiki www.openmandriva.org.
>>>> 
>>>> It's a little bit annoying with mobile browser.
>>>> 
>>>> 
>>>> Bye,
>>>> Paolo
>>>> 
>>>> 
>>>> 
>>>> 
>>> --
>>> Best regards, meilleures salutations
>>> Raphaël Jadot
>>> 
>>> 
>> 
> 
> -- 
> Best regards, meilleures salutations
> Raphaël Jadot
> 



Reply via email to