To quickly scribble my thoughts on this:

If we decide to stay with CAcert--let's make sure we are not forcing our
visitors to https version of any of our sites. On the landing site, https
links to our sites should be listed only if the landing site itself is
accessed via https. Other wise all links should be http.

If we decide to move on--let's then try to secure the most widely supported
FLOSS CA.


On Tuesday, November 26, 2013, Jeffrey Johnson wrote:

>
> On Nov 26, 2013, at 12:58 PM, Rolf Pedersen wrote:
>
> >
> > On 11/26/2013 08:51 AM, Raphaël Jadot wrote:
> >>> 2. More importantly, less ambiguously, the browser security warnings
> >>> >and need for manual intervention is a "turn-off" for OMV adoption and
> >>> >should be avoided, if possible, imo.
> >> Yes, this is something I understand, even if not sure to agree:)  We
> >> are a community, and there will no be some "tyranic" decision, so of
> >> course we will not keep this situation if users considers it as an
> >> issue.
> >>
> > Well, I'm not well-educated in all the issues and technicalities, albeit
> being a user of Mandrake et. seq. since early 2000.  The philosophy of
> FOSS, introduced by Stallman, Torvalds, and other pioneers is of the
> primary importance.  However, after all this time of daily Linux usage, I'm
> flummoxed by the challenge to override the browser warning, to make an
> exception.  Acting in near ignorance, I don't feel my security is being
> enhanced, as I need the browsers to do my thing, and just start pushing
> buttons.  The spying by militaristic governments on one another is nothing
> new, just more visible and potentially invasive via the same technology
> that enabled the rapid advancement of Linux.  So, it's a hard choice. There
> is some merit in being approachable, important for what I see OMV is trying
> to become.  Could the installation of the necessary certificates be made
> more automated/transparent with a package dependency or highly visible and
> documented widget/button or some such?  To RTFM before going to a website
> is not a user-friendly mechanism, iiuic.
> > Rolf
> >
>
>
> There isn't much  "free speech" challenge here to understand.
>
> Certificate Authorities follow strict procedures that are described
> (and tested) by various standards (and their agents) as part of
> a global (i.e. not just linux) infrastructure designed for
> interoperability.
>
> The compliance testing isn't cheap, and the certification of a CA is
> most definitely a direct business cost that must be paid for somehow.
>
> I've heard that the cost of getting a root CA (like CAcert) into browsers
> everywhere (as StartSSL has done) is typically about $500K.
>
> The alternative to using an existing CA is to install your own root CA,
> and CAcert is a perfectly sensible choice.
>
> The choice is whether "free speech" advocacy or seamless access
> of web content is more important to OpenMandriva.
>
> Disclaimer:
> There are (of course) other CA's than StartSSL: I point out StartSSL
> solely because Eddy Nigg and StartCom/StartSSL have strong
> connections to FL/OSS, including a CentOS-clone distribution.
>
> 73 de Jeff
>
>

-- 
Sent from Gmail Mobile


Reply via email to