> On Thu, Sep 27, 2007 at 05:23:26PM +0200, Hanno B??ck wrote: >> Well, I hope I don't have to tell that self-signed certs are not really good >> security policy. > Whether or not self-signed certs are secure or insecure depends entirely > on your definition of 'secure'. > - Is the traffic encrypted between your machine and the server? > Always, regardless of it being a self-signed or self-CA, or external CA. > - Can you be sure that there is no MITM attack? > Only if you trust the CA _OR_ you know in advance the SSL fingerprint. > > Knowing the SSL fingerprint is trivial, if you login to machines with > SSH, you are be doing this every day.
Yes, you and I and most other technical people know and understand this. But how many end users know or care that their traffic to bugzilla is being safely encrypted? And how many are going to have worry and or doubt when they get a popup telling them that some kind of security certificate may not be valid. It's definitely a red flag. >> I think most of you know that there's CAcert, a "free" certificate authority. >> While it's sadly not free in a "free software" sense (their own software >> isn't released under a free license, though I hope that will change at some >> point in the future), it uses a web-of-trust-based concept for trust and >> issues certificates with no costs. > Go and read ALL of this bug: > http://bugs.gentoo.org/show_bug.cgi?id=108944 > Pylon and myself, as folk in favour of CA-Cert tried to get the ball > rolling to get Organization-level certs from CACert. It seems to have > long blocked on trustees and paperwork - both on our side, and on the > side of CACert (Inclusion in Mozilla is blocking on the CACert internal > audit). Is there a reason that my Godaddy suggestion in the bug isn't being considered? Regardless of what you may think of them as a company, they offer the same free type of certificate to open source projects just like cacert, and with what looks to be considerable less overhead. I understand that cacert is more "open sourcy" than godaddy, but if they're as much of a roadblock as the Trustees are in this case, maybe going that route would enable us to move forward? >> I think compared to self-signed, having cacert-certificates would be a big >> improvement. Many other free software projects (and more and more other >> pages) use cacert, so it becomes more and more likely that people will >> already have the cacert-root-cert installed. > I don't agree that it's a big improvement. If you read the bug above, > you'll note that we did at one stage have a 'Gentoo CA' that Infra ran > for generating certs. It is a big improvement. Not in security, but in perception. Caleb -- [EMAIL PROTECTED] mailing list
