On Sun, Sep 19, 2004 at 11:54:25AM +0300, Kai Hendry wrote: > On Sat, Sep 18, 2004 at 04:47:46PM -0600, Gunnar Wolf wrote: > > what we do. Debian is about Free Software, not about the services > > around it. > > You need an SSL certificate to make Free software almost usable. Free > software as an SMTP relay with a clear auth is stupid. So have a self-signed certificate, that's what most people do if they are not willing to pay the money or go through the issues of having their certificates signed by a CA. > > > Besides, setting up a CA is in the first place a huge responsability > > (as we would really need to check you are not using fake documents, we > > would need to have personal contact, etc.), and in the second place it > > However, let me point out again that SPI and CACERTS.org already run a > CA. With the latter clearly willing to hand them out for free. And of > course, most good Debian users have actually bothered to build up a "web > of trust". Why not use it? Because SPI is not a certification authority. Period. They have certificates for their _own_ use and maybe for some close projects. I would not trust a CA that hands out certificates for free, that's pointless and does not give any more security than a self-signed certificate. A thrustworthy CA does all kind of background checks in order to assure that he's giving a certificate to the correct person/company (not somebody trying to suplant them) and to check that the certificate is being handled correctly so that it is not that easy to be lost. > > are not in the CA business. If I really want a certificate, I can get > > it from a CA. Even if it were signed by the Debian project, relatively > > The CAs currently in Debian (please take a look in /etc/ssl/certs) > charge something like 200USD a year. This is prohibitive. So? Self-sign your certificate. There's nothing preventing you from doing that. You have even software in Debian to setup a CA, you could do that yourself and start selling the service to other people. Repeat after me: Debian provides Free Software not Free Services. Your certificate will probably not be automatically trusted by third parties but, then again, there's a _very_ small chance that a CA that hands off certificates to whomever wants them without any check will get added to the CAs that most common software check for. Regards Javier
Attachment:
signature.asc
Description: Digital signature