[clue-tech] CAcert issues
Angelo Bertolli
angelo at freeshell.org
Tue Mar 29 22:55:47 MST 2005
> I don't use them. Until they are included in browsers (can the Linux
> distros do that, or does it have to be the Mozilla developers?) I
> don't think their certs are much better than a do-it-yourself CA.
> Perhaps a little better if you're clueless about what's important than
> a CA.
>
But... if we all agree to use cacert.org, then all it takes is for
someone to install the CA once (I think AddType
application/x-x509-ca-cert .crt plus a link will do it), and then they
can trust everyone who uses that CA. The other thing about
do-it-yourself CA is that without a third party, there's really no point
int having a CA anyway. The whole idea is so that a third party
verifies that you are who you say you are. Now, the real question is
how strict is cacert.org about making sure your information is correct.
Even some paid companies don't even check up on you before issuing you a
certificate.
> So to pick them over a discount cert that is included in the browsers,
> I'd say you need to be sure your audience will take the trouble to
> install CAcert's root certificate, and prominently advertise it, with
> directions, everywhere you can. It's really bad form to encourage
> people to click OK at every security warning. (This applies equally
> to a d-i-y CA.)
>
Yes, that's the downfall. But it's still better than just not using a
secure connection at all ;)
Angelo
More information about the clue-tech
mailing list