Re: ca-certificates: no more cacert.org certificates?!?

To: debian-devel@lists.debian.org
Subject: Re: ca-certificates: no more cacert.org certificates?!?
From: Kevin Chadwick <ma1l1ists@yahoo.co.uk>
Date: Tue, 1 Apr 2014 22:49:15 +0100
Message-id: <[🔎] 616880.64104.bm@smtp144.mail.ir2.yahoo.com>
In-reply-to: <[🔎] 20140401202211.GC15123@a82-93-13-222.adsl.xs4all.nl>
References: <[🔎] 87lhvp1i2s.fsf@poker.hands.com> <[🔎] 20140401202211.GC15123@a82-93-13-222.adsl.xs4all.nl>

previously on this list Bas Wijnen contributed:

> From: Bas Wijnen <wijnen@debian.org>
> To: debian-devel@lists.debian.org
> Subject: Re: ca-certificates: no more cacert.org certificates?!?
> Date: Tue, 1 Apr 2014 22:22:12 +0200
> User-Agent: Mutt/1.5.21 (2010-09-15)
> 
> On Tue, Apr 01, 2014 at 11:04:43AM +0100, Philip Hands wrote:
> > I think the real problem here is the user interface asking one to trust
> > a site (forever, unless you're concentrating) at a point where you
> > really don't care because all you're interested in is seeing the cute
> > picture of an otter on someone's blog.  
> 
> Yes.  And the fact that making your blog use an encrypted connection
> causes either scary warnings for all your visitors, or a lot of hassle
> trying to find a CA who is slightly less extorting than the others,
> leads to the result that most people give it up and don't use encryption
> on their blog.

I agree

>  I think at Debian we all agree that it would be a good
> thing if everything would be encrypted, so this is a very bad outcome.
> 

I beg to differ I'm afraid. SSL should be used where it is required
otherwise you are opening the server upto DOS and as it is more
complex, bugs and exploits not to mention greater memory and cpu usage
in similar fashion to systemd.

> 
> I've also asked Mozilla to give plain HTTP connections at least as much
> warnings as self-signed certificates (which would probably mean no
> warnings for either of them), but I don't think they'll listen.

What have you asked them exactly. I believe glaring warnings should be
removed from self-signed and green bars removed completely for EV certs
but you should be asked to check the fingerprint for self-signed and the
browser should cache the cert and warn of changes in all cases
though that would scare the uninitiated at first???

-- 
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
_______________________________________________________________________

I have no idea why RTFM is used so aggressively on LINUX mailing lists
because whilst 'apropos' is traditionally the most powerful command on
Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool
to help psychopaths learn to control their anger.

(Kevin Chadwick)

_______________________________________________________________________

Reply to:

Follow-Ups:
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Bas Wijnen <wijnen@debian.org>

References:
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Philip Hands <phil@hands.com>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Bas Wijnen <wijnen@debian.org>

Prev by Date: Re: default messaging/VoIP client for Debian 8/Jessie
Next by Date: Re: ca-certificates: no more cacert.org certificates?!?
Previous by thread: Re: ca-certificates: no more cacert.org certificates?!?
Next by thread: Re: ca-certificates: no more cacert.org certificates?!?
Index(es):
- Date
- Thread