On 10/16/09 13:05, Yavor Doganov wrote: > More importantly, I fail to see what the problem is, really. If the > user is clueless enough and doesn't understand how to validate a > certificate, what good it does if we choose a certificate that is > included in a (popular) particular program?
I don't think this is about clueless users, and I find it pretty sad that we're talking about people like that. Free software is for everyone, and used by people who may seem clueless about this problem, but it's because they've never had to deal with it before! For me, this is about trust, plain and simple. If users are doing things in a secure manner on the web, it should be done over HTTPS, and that means paying the certificate folks for a real certificate that is included in all the browsers people use. I've had computer science professors not know what to do about the Savannah error message and had to email my entire project and tell them to manually add it. <http://lists.gnu.org/archive/html/myexperiment-discuss/2007-03/msg00001.html> It's acceptable for an internal demo, but totally unacceptable for a public website with any significant project or number of users behind it to do this. We want people to trust the GNU project and the FSF. Broken SSL certificates like this one, are just that -- breaking the trust relationship between us and the general public.
signature.asc
Description: OpenPGP digital signature
