Re: ca-certificates: no more cacert.org certificates?!?

To: Marc Haber <mh+debian-devel@zugschlus.de>, debian-devel@lists.debian.org
Subject: Re: ca-certificates: no more cacert.org certificates?!?
From: Philip Hands <phil@hands.com>
Date: Tue, 01 Apr 2014 11:04:43 +0100
Message-id: <[🔎] 87lhvp1i2s.fsf@poker.hands.com>
In-reply-to: <[🔎] E1WUszb-0007bm-Qz@swivel.zugschlus.de>
References: <1722468.nyLnYD01gx@debstor> <E1WSSLo-0008MK-1v@swivel.zugschlus.de> <10992188.hDEB1a5xIj@debstor> <E1WTnPJ-00036G-HY@swivel.zugschlus.de> <CAA0ZO6BWQ3nCvu5iTrygH1mcSz1qXrX8o31unNKctoL-0Ui=Qw@mail.gmail.com> <E1WU9CM-0003tw-7F@swivel.zugschlus.de> <CAA0ZO6C_pAMg12131_Xbau02r5ypK-_PZBEazJhttTHmYw7Kcg@mail.gmail.com> <E1WUgDq-0001Ao-0Z@swivel.zugschlus.de> <CAA0ZO6AO4hhqarT7w5qoT=ZrmRAWZhXjsV6dLYidtrox-RtJaA@mail.gmail.com> <87ha6edl8d.fsf@windlord.stanford.edu> <[🔎] E1WUszb-0007bm-Qz@swivel.zugschlus.de>

Marc Haber <mh+debian-devel@zugschlus.de> writes:

> On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery <rra@debian.org>
> wrote:
>>Of course, I'm one of those people who believes that web site certificate
>>signatures as currently implemented, with the level of vetting that's
>>actually done by commercial CAs in practice, are more of an extortion
>>racket than a security measure.
>
> I have to agree on that. But a Startcom Certificate on a personal web
> site is one web site more that doesn't train users to blindly click
> away certificate warnings. A cacert certificate or a self-signed
> certificate on a personal web site is one web site more that does that
> kind of training.

Do you really think that the content on a Startcom certificated site is
more likely to be trustworthy than an CAcert certificated site?

I think the real problem here is the user interface asking one to trust
a site (forever, unless you're concentrating) at a point where you
really don't care because all you're interested in is seeing the cute
picture of an otter on someone's blog.

If browsers treated all new certificates with suspicion, limiting the
things that could be done in javascript, and not allowing forms to be
filled in, say, and then when you decided that you wanted to offer the
site some trust (because you want to fill in your credit card on the
https://amazon-really-it-is.mafia.biz/ site) the browser could then
guide you toward some checks that you might want to perform before
continuing, and because you've got a credit card n your hand you might
be vaguely interested at that point.

Anyway, can we not just have a cacert-certificates package, and then
people like me, who use cacert, could decide to trust them easily on my
machines at least?  If we instead do things that make it harder for even
Free Software enthusiasts to use something like CAcert, then the slim
chance that CAcert might eventually become properly useful gets even
slimmer.

Cheers, Phil.
-- 
|)|  Philip Hands [+44 (0)20 8530 9560]    http://www.hands.com/
|-|  HANDS.COM Ltd.                    http://ftp.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND

Attachment: pgpJ6UJ7oaV0Q.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Paul Wise <pabs@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Bas Wijnen <wijnen@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

References:
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

Prev by Date: Re: default messaging/VoIP client for Debian 8/Jessie
Next by Date: Re: ca-certificates: no more cacert.org certificates?!?
Previous by thread: Re: ca-certificates: no more cacert.org certificates?!?
Next by thread: Re: ca-certificates: no more cacert.org certificates?!?
Index(es):
- Date
- Thread