[clue-tech] CAcert issues
David Anselmi
anselmi at anselmi.us
Tue Mar 29 20:03:01 MST 2005
Dirk Huizenga wrote:
> I have had problems getting to the www.cacert.org web site for a while
> and decided to look into it.
Works for me, though I've been noticing latency lately that may be
related to Jim's analysis of ultradns.
[...]
> Has anyone else seen this problem? Is this some conspiracy to block
> free SSL certificates?
THERE IS NO CONSPIRACY!!! ;-)
> Does anyone use their certificates? I understand that these free
> certs can be a problem, because they do not have a root certificate
> in most browsers.
I don't use them. Until they are included in browsers (can the Linux
distros do that, or does it have to be the Mozilla developers?) I don't
think their certs are much better than a do-it-yourself CA. Perhaps a
little better if you're clueless about what's important than a CA.
So to pick them over a discount cert that is included in the browsers,
I'd say you need to be sure your audience will take the trouble to
install CAcert's root certificate, and prominently advertise it, with
directions, everywhere you can. It's really bad form to encourage
people to click OK at every security warning. (This applies equally to
a d-i-y CA.)
> And I have seen a request for Mozilla (Firefox) to block the ability
> to add root certificates (currently marked WONTFIX) that would
> prevent CAcert's certificates from validating. Just looking into
> using this for a web site.
I'd be surprised to see that fixed--it would limit your ability to trust
those you choose. And DoD, for one, is using their own CA that is not
included in IE or Mozilla (they tell their admins how to customize their
browser installs so it is invisible to users, but that doesn't always
happen (and they don't make it as obvious as they could about getting
the root cert)).
I don't think it would be hard for Mozilla or a Linux distro to trust
CAcert, I don't know what the hangup is. MS requires an audit by, e.g.,
KPMG that costs a bunch. So a free service is unlikely to get included.
Dave
More information about the clue-tech
mailing list