Hello, On Wed, 14 Mar 2012 12:33:49 +0100 Alexander Kriegisch wrote: > Andrew Savchenko, 09.03.2012 15:51: [...] > > Commercial certificate is not necessary, CACert certificates are > > acknowledged by any sane browser and may be obtained for free after > > registration. > > One more comment about this statement, because it surprised me and I > just got around to testing it today. The result is as it always was: no > browser I tested (current release versions of Chrome, FF, Opera, IE) > trusts the CAcert root certificate, every single one shows a warning. This does not depend on your browser, but depends on your system SSL configuration. On all my boxes Gentoo is used. File /usr/share/ca-certificates/cacert.org/cacert.org.crt is included in the standard app-misc/ca-certificates package taken by Gentoo from Debian: http://packages.debian.org/sid/ca-certificates That's why at least in these distributions it will work, Ubuntu probably follows. If not, update your system. If you have no system-wide certificate lists, than your system is broken. If your distribution does not support this certificate, then ask maintainers to fix this problem. > Anything else would have been a surprise to me. Then install Debian or Gentoo and be surprised > Getting automatic trust > on such certificates would be a security nightmare. Even with WOT > notaries it is not much better. Please prove this statement, if you are implying that free of change CA is less secure. Payment of some little amount of money has nothing to do with CA security (but has with CA welfare). Currently used SSL scheme has very little security, its more like an illusion of security, because any of about 200 CA can sign certificate any domain. And use of commercial CA changes nothing. Recent events with Comodo and DigiNotar CAs prove my statement. The real solution will be use of web of trust with high number of minimal certificate signers. Only when CA is signed with multiple CAs (let's say ten) than you may trust it. But current SSL scheme is simply not capable for this kind of work. Best regards, Andrew Savchenko
Attachment:
pgpASPZeTbC1p.pgp
Description: PGP signature