[aur-general] Random discussion about certificates
On Mon, Aug 10, 2009 at 2:21 PM, Magnus Therning<magnus@therning.org> wrote:
Aaron Griffin wrote:
On Mon, Aug 10, 2009 at 2:03 PM, Magnus Therning<magnus@therning.org> wrote:
Aaron Griffin wrote: [..]
It's not invalid, it's self-signed, so there's no certificate authority stamp-of-approval on it. We had a free year certificate at one point, but decided not to waste the money for a real certificate if it's only used by the devs.
One option would be getting one from CACert.org. Of course it won't be worth a lot without putting their root cert in openssl/firefox/konquerer/epiphany/etc...
We looked into that, but that's not much better than a self signed cert. We discussed this at length among the devs, and already made a decision. We're well aware of all the options :)
What was the line of reasoning behind "not much better than a self signed cert"?
Changing the subject here while we go on this tangent. The reasoning is simple: CACert root certificates aren't generally accepted, and while we actually support them in things like konquerer, firefox and other tools are a different story (silly mozilla). It's just not feasible at this point, so we end up with a certificate that is "untrusted" anyway. Now here's the thing.... we already discussed this, and all I'm doing now is rehashing debates about it. There's not much point in it, and I'm not going to be suddenly convinced to do a bunch of work to change a site that is used by about 30-40 people with no actual benefit besides getting rid of a one-time warning screen. The decision was made, it's over and done with, it's not a big deal.
Aaron Griffin wrote: [..]
Changing the subject here while we go on this tangent.
The reasoning is simple: CACert root certificates aren't generally accepted, and while we actually support them in things like konquerer, firefox and other tools are a different story (silly mozilla). It's just not feasible at this point, so we end up with a certificate that is "untrusted" anyway.
Fair enough. It might be worth keeping an eye on what they are doing though since I've heard mumblings about some restructuring within CACert.org that would make it possible to get their root cert included in the "standard set" that's shipped by Mozilla/Microsoft etc. Once that happens their certs will be worth a lot more.
Now here's the thing.... we already discussed this, and all I'm doing now is rehashing debates about it. There's not much point in it, and I'm not going to be suddenly convinced to do a bunch of work to change a site that is used by about 30-40 people with no actual benefit besides getting rid of a one-time warning screen.
The decision was made, it's over and done with, it's not a big deal.
Oh, I'm not about to start arguing against a good set of reasons :-) /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus identi.ca|twitter: magthe
participants (2)
-
Aaron Griffin
-
Magnus Therning