[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL certificates

On Sun, Sep 19, 2004 at 11:54:25AM +0300, Kai Hendry wrote:
> On Sat, Sep 18, 2004 at 04:47:46PM -0600, Gunnar Wolf wrote:
> > what we do. Debian is about Free Software, not about the services
> > around it.
> You need an SSL certificate to make Free software almost usable.  Free
> software as an SMTP relay with a clear auth is stupid.

So have a self-signed certificate, that's what most people do if they are 
not willing to pay the money or go through the issues of having their 
certificates signed by a CA.

> > Besides, setting up a CA is in the first place a huge responsability
> > (as we would really need to check you are not using fake documents, we
> > would need to have personal contact, etc.), and in the second place it
> However, let me point out again that SPI and CACERTS.org already run a
> CA.  With the latter clearly willing to hand them out for free. And of
> course, most good Debian users have actually bothered to build up a "web
> of trust". Why not use it?

Because SPI is not a certification authority. Period. They have 
certificates for their _own_ use and maybe for some close projects.

I would not trust a CA that hands out certificates for free, that's 
pointless and does not give any more security than a self-signed 
certificate. A thrustworthy CA does all kind of background checks in order 
to assure that he's giving a certificate to the correct person/company (not 
somebody trying to suplant them) and to check that the certificate is being 
handled correctly so that it is not that easy to be lost.

> > are not in the CA business. If I really want a certificate, I can get
> > it from a CA. Even if it were signed by the Debian project, relatively
> The CAs currently in Debian (please take a look in /etc/ssl/certs)
> charge something like 200USD a year. This is prohibitive.

So? Self-sign your certificate. There's nothing preventing you from doing 
that. You have even software in Debian to setup a CA, you could do that 
yourself and start selling the service to other people. Repeat after me: 
Debian provides Free Software not Free Services.

Your certificate will probably not be automatically trusted by third 
parties but, then again, there's a _very_ small chance that a CA that hands 
off certificates to whomever wants them without any check will get added to 
the CAs that most common software check for.



Attachment: signature.asc
Description: Digital signature

Reply to: