[clue-tech] CAcert issues

David Anselmi anselmi at anselmi.us
Tue Mar 29 20:03:01 MST 2005 

Dirk Huizenga wrote:
> I have had problems getting to the www.cacert.org web site for a while 
> and decided to look into it.

Works for me, though I've been noticing latency lately that may be 
related to Jim's analysis of ultradns.

[...]
> Has anyone else seen this problem?  Is this some conspiracy to block 
> free SSL certificates?

THERE IS NO CONSPIRACY!!! ;-)

> Does anyone use their certificates? I understand that these free
> certs can be a problem, because they do not have a root certificate
> in most browsers.

I don't use them.  Until they are included in browsers (can the Linux 
distros do that, or does it have to be the Mozilla developers?) I don't 
think their certs are much better than a do-it-yourself CA.  Perhaps a 
little better if you're clueless about what's important than a CA.

So to pick them over a discount cert that is included in the browsers, 
I'd say you need to be sure your audience will take the trouble to 
install CAcert's root certificate, and prominently advertise it, with 
directions, everywhere you can.  It's really bad form to encourage 
people to click OK at every security warning.  (This applies equally to 
a d-i-y CA.)

> And I have seen a request for Mozilla (Firefox) to block the ability
> to add root certificates (currently marked WONTFIX) that would
> prevent CAcert's certificates from validating.  Just looking into
> using this for a web site.

I'd be surprised to see that fixed--it would limit your ability to trust 
those you choose.  And DoD, for one, is using their own CA that is not 
included in IE or Mozilla (they tell their admins how to customize their 
browser installs so it is invisible to users, but that doesn't always 
happen (and they don't make it as obvious as they could about getting 
the root cert)).

I don't think it would be hard for Mozilla or a Linux distro to trust 
CAcert, I don't know what the hangup is.  MS requires an audit by, e.g., 
KPMG that costs a bunch.  So a free service is unlikely to get included.

Dave

More information about the clue-tech mailing list