Matt Lee wrote: > I don't think this is about clueless users, and I find it pretty sad > that we're talking about people like that.
OK, I withdraw my words. What this is all about, really? > Free software is for everyone, and used by people who may seem > clueless about this problem, but it's because they've never had to > deal with it before! Right. So you seem to say that we should ensure that they don't have to deal with this when authenticating with Savannah by purchasing a certificate from a CA that is approved by the top web browser distributors? Is that right? > For me, this is about trust, plain and simple. For me, likewise. I don't think we should pay even a penny to certify that we are we. Even though the cost is negligible, this is a matter of principle. > If users are doing things in a secure manner on the web, it should be > done over HTTPS, and that means paying the certificate folks for a real > certificate that is included in all the browsers people use. No. What you call "real certificate" is debatable. You can certainly have "real certificate" without "paying the certificate folks". The system administrator decides what CAs to trust, and users can always override his choice. This discussion seem to be about bowing before Mozilla's and Microsoft's specific choice of CAs. > We want people to trust the GNU project and the FSF. Don't exaggerate. Authenticating the connection with the Savannah server has little to do with the general trust in the GNU project and the FSF. Needless to say that you can perform 99% of the useful tasks without HTTPS access at all. > Broken SSL certificates like this one, Please. Our certificate is not broken. It may appear broken to people who have no clue what an invalid certificate means, in which case we provide palatable documentation with explanation and simple steps to perform the validation, which is, in all cases, much better security-wise from the standpoint of the ordinary user whose interests both parties intend to protect.
