Re: SSL certificates

To: Kai Hendry <hendry@cs.helsinki.fi>
Cc: debian-devel@lists.debian.org
Subject: Re: SSL certificates
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Sun, 19 Sep 2004 17:44:34 +0200
Message-id: <[🔎] 20040919154434.GB32691@dat.etsit.upm.es>
In-reply-to: <[🔎] 20040919085424.GA2449@cs.helsinki.fi>
References: <[🔎] 20040918210501.GE29882@cs.helsinki.fi> <[🔎] 20040918224745.GA15879@gwolf.org> <[🔎] 20040919085424.GA2449@cs.helsinki.fi>

On Sun, Sep 19, 2004 at 11:54:25AM +0300, Kai Hendry wrote:
> On Sat, Sep 18, 2004 at 04:47:46PM -0600, Gunnar Wolf wrote:
> > what we do. Debian is about Free Software, not about the services
> > around it.
> 
> You need an SSL certificate to make Free software almost usable.  Free
> software as an SMTP relay with a clear auth is stupid.

So have a self-signed certificate, that's what most people do if they are 
not willing to pay the money or go through the issues of having their 
certificates signed by a CA.

> 
> > Besides, setting up a CA is in the first place a huge responsability
> > (as we would really need to check you are not using fake documents, we
> > would need to have personal contact, etc.), and in the second place it
> 
> However, let me point out again that SPI and CACERTS.org already run a
> CA.  With the latter clearly willing to hand them out for free. And of
> course, most good Debian users have actually bothered to build up a "web
> of trust". Why not use it?

Because SPI is not a certification authority. Period. They have 
certificates for their _own_ use and maybe for some close projects.

I would not trust a CA that hands out certificates for free, that's 
pointless and does not give any more security than a self-signed 
certificate. A thrustworthy CA does all kind of background checks in order 
to assure that he's giving a certificate to the correct person/company (not 
somebody trying to suplant them) and to check that the certificate is being 
handled correctly so that it is not that easy to be lost.

> > are not in the CA business. If I really want a certificate, I can get
> > it from a CA. Even if it were signed by the Debian project, relatively
> 
> The CAs currently in Debian (please take a look in /etc/ssl/certs)
> charge something like 200USD a year. This is prohibitive.

So? Self-sign your certificate. There's nothing preventing you from doing 
that. You have even software in Debian to setup a CA, you could do that 
yourself and start selling the service to other people. Repeat after me: 
Debian provides Free Software not Free Services.

Your certificate will probably not be automatically trusted by third 
parties but, then again, there's a _very_ small chance that a CA that hands 
off certificates to whomever wants them without any check will get added to 
the CAs that most common software check for.

Regards

Javier

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: SSL certificates
  - From: Andrew Suffield <asuffield@debian.org>

References:
- SSL certificates
  - From: Kai Hendry <hendry@cs.helsinki.fi>
- Re: SSL certificates
  - From: Gunnar Wolf <gwolf@gwolf.org>
- Re: SSL certificates
  - From: Kai Hendry <hendry@cs.helsinki.fi>

Prev by Date: Re: Mozilla with Java
Next by Date: Re: Mozilla with Java
Previous by thread: Re: SSL certificates
Next by thread: Re: SSL certificates
Index(es):
- Date
- Thread