Re: SSL certificates

To: Kai Hendry <hendry@cs.helsinki.fi>
Cc: debian-devel@lists.debian.org
Subject: Re: SSL certificates
From: Gunnar Wolf <gwolf@gwolf.org>
Date: Sat, 18 Sep 2004 16:47:46 -0600
Message-id: <[🔎] 20040918224745.GA15879@gwolf.org>
In-reply-to: <[🔎] 20040918210501.GE29882@cs.helsinki.fi>
References: <[🔎] 20040918210501.GE29882@cs.helsinki.fi>

Kai Hendry dijo [Sun, Sep 19, 2004 at 12:05:01AM +0300]:
> A variety of Internet applications need an SSL certificate to do
> sensible things like protect a password being sniffed.
> 
> As I understand it, I need to setup my own CA up to generate one of
> these SSL certificates.
> http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html
> http://natalian.org/archives/2004/09/14/middlemail/
> 
> But, why !? I am a Debian user. Debian or SPI is a CA and shouldn't they
> be issuing certificates to make my life easier in accordance with the
> Social Contract?

No. The Social Contract mandates us to have our users and Free
Software as our priorities - But that does not mean we are obliged to
go to your house and change your wooden chair to a nice, comfortable
and ergonomic armchair. It would be better for you, but that's not
what we do. Debian is about Free Software, not about the services
around it.

Besides, setting up a CA is in the first place a huge responsability
(as we would really need to check you are not using fake documents, we
would need to have personal contact, etc.), and in the second place it
would absorbe our time - Wouldn't you prefer seeing Sarge soon? :)

> (...)
> If Debian users aren't worthy of a Debian CA issued SSL cert., what
> about developers? DDs are people who have had their identity verified.

We have more or less the same. I know I can issue a SSL cert any
minute I want to, even if it is not recognized by anybody... But I can
PGP-sign a document as well. That PGP signature can establish that the
SSL certificate was really issued by me. Yes, a bit clumsy - but we
are not in the CA business. If I really want a certificate, I can get
it from a CA. Even if it were signed by the Debian project, relatively
few people know about it, and there would be no reason to trust it any
more than trusting myself.

Greetings,

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)1451-2244 / 5554-9450
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF

Reply to:

Follow-Ups:
- Re: SSL certificates
  - From: Kai Hendry <hendry@cs.helsinki.fi>

References:
- SSL certificates
  - From: Kai Hendry <hendry@cs.helsinki.fi>

Prev by Date: Bug#272264: ITP: tomboy -- Desktop note taking program, with support for Wiki style links
Next by Date: Bug#272272: ITP: libnet-socks-perl -- Perl module providing an API to communicate with SOCKS servers
Previous by thread: Re: SSL certificates
Next by thread: Re: SSL certificates
Index(es):
- Date
- Thread