previously on this list Bas Wijnen contributed:
On Tue, Apr 01, 2014 at 10:49:15PM +0100, Kevin Chadwick wrote:
I think at Debian we all agree that it would be a good
thing if everything would be encrypted, so this is a very bad outcome.
I beg to differ I'm afraid. SSL should be used
On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote:
I think they are constrained by the browser market; if they add
annoying popups and other browser vendors don't then they will
probably lose market share. This is the fundamental problem with web
security; the wider user population wants things
@lists.debian.org
Onderwerp: Re: ca-certificates: no more cacert.org certificates?!?
On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote:
I think they are constrained by the browser market; if they add
annoying popups and other browser vendors don't then they will
probably lose market share
Onderwerp: Re: ca-certificates: no more cacert.org certificates?!?
On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote:
I've also asked Mozilla to give plain HTTP connections at least as much
warnings as self-signed certificates (which would probably mean no
warnings for either of them
Hi,
Paul Wise:
Encrypted and unencrypted connections are equivalent because anyone
who is on your network path (or can manipulate DNS or BGP) can MITM
the connection.
Somebody could passively log the connection for later analysis.
Your argument does not hold for this case.
--
-- Matthias
On Wed, Apr 2, 2014 at 6:09 PM, Matthias Urlichs wrote:
Somebody could passively log the connection for later analysis.
Your argument does not hold for this case.
I don't have an argument, I'm saying that Snowden revealed that global
active adversaries like the NSA and GCHQ have been doing
On 04/02/2014 04:43 AM, Bas van den Dikkenberg wrote:
The only things states in RDL that user has to be informed about the copyright
I find this, perhaps, the most interesting and on-topic comment in this
thread.
--
Kind regards,
Michael
--
To UNSUBSCRIBE, email to
On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery r...@debian.org
wrote:
Of course, I'm one of those people who believes that web site certificate
signatures as currently implemented, with the level of vetting that's
actually done by commercial CAs in practice, are more of an extortion
racket than
Marc Haber mh+debian-de...@zugschlus.de writes:
On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery r...@debian.org
wrote:
Of course, I'm one of those people who believes that web site certificate
signatures as currently implemented, with the level of vetting that's
actually done by commercial CAs
On Tue, Apr 1, 2014 at 6:04 PM, Philip Hands wrote:
I think the real problem here is the user interface asking one to trust
a site (forever, unless you're concentrating) at a point where you
really don't care because all you're interested in is seeing the cute
picture of an otter on someone's
Hi,
On Dienstag, 1. April 2014, Marc Haber wrote:
I have to agree on that. But a Startcom Certificate on a personal web
site is one web site more that doesn't train users to blindly click
away certificate warnings. A cacert certificate or a self-signed
certificate on a personal web site is
previously on this list people contributed:
I still don't see why we penalize Debian users for the fact that _other_
operating systems don't include the cacert certificate
Seems illogical to me we need more free CAs not less and I do agree
about the extortionism especially on EV.
If a web
On Tue, Apr 01, 2014 at 11:04:43AM +0100, Philip Hands wrote:
I think the real problem here is the user interface asking one to trust
a site (forever, unless you're concentrating) at a point where you
really don't care because all you're interested in is seeing the cute
picture of an otter on
On Tue, 01 Apr 2014 11:04:43 +0100, Philip Hands p...@hands.com
wrote:
Marc Haber mh+debian-de...@zugschlus.de writes:
On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery r...@debian.org
wrote:
Of course, I'm one of those people who believes that web site certificate
signatures as currently
previously on this list Bas Wijnen contributed:
From: Bas Wijnen wij...@debian.org
To: debian-devel@lists.debian.org
Subject: Re: ca-certificates: no more cacert.org certificates?!?
Date: Tue, 1 Apr 2014 22:22:12 +0200
User-Agent: Mutt/1.5.21 (2010-09-15)
On Tue, Apr 01, 2014 at 11:04
On Tue, Apr 01, 2014 at 10:49:15PM +0100, Kevin Chadwick wrote:
I think at Debian we all agree that it would be a good
thing if everything would be encrypted, so this is a very bad outcome.
I beg to differ I'm afraid. SSL should be used where it is required
otherwise you are opening the
On Wed, Apr 2, 2014 at 4:22 AM, Bas Wijnen wrote:
It's not at all equivalent. When using (good) encryption, the only
thing left to worry about is man in the middle attacks. Even when
someone is actively performing a man in the middle attack on you, your
data is _still_ more secure than a
On Mar 31, Brian May br...@microcomaustralia.com.au wrote:
On the other hand, getting back on topic, cacert.org offers you
certificates free, and for any purpose, which is why it is much better then
any of the other free alternatives (I only know one free alternative).
And they are about as
On Mon, 31 Mar 2014 09:24:29 +1100, Brian May
br...@microcomaustralia.com.au wrote:
On the other hand, getting back on topic, cacert.org offers you
certificates free, and for any purpose, which is why it is much better then
any of the other free alternatives (I only know one free alternative).
On 1 April 2014 04:42, Marc Haber mh+debian-de...@zugschlus.de wrote:
cacert.org is unuseable if you offer your web site to muggles. It's
not in the browsers.
Not sure what you mean. cacert.org is unusable at the moment because it
isn't included in the browsers. Which is the problem we were
Brian May br...@microcomaustralia.com.au writes:
On 1 April 2014 04:42, Marc Haber mh+debian-de...@zugschlus.de wrote:
cacert.org is unuseable if you offer your web site to muggles. It's
not in the browsers.
Not sure what you mean. cacert.org is unusable at the moment because it
isn't
Hi,
On Mon, Mar 31, 2014 at 04:03:30PM -0700, Russ Allbery wrote:
Brian May br...@microcomaustralia.com.au writes:
On 1 April 2014 04:42, Marc Haber mh+debian-de...@zugschlus.de wrote:
cacert.org is unuseable if you offer your web site to muggles. It's
not in the browsers.
Not sure
On Sun, 30 Mar 2014 10:26:28 +1100, Brian May
br...@microcomaustralia.com.au wrote:
On 29 March 2014 18:10, Marc Haber mh+debian-de...@zugschlus.de wrote:
My last renew of a startcom certificate was in February 2014. I guess
you were victim of misunderstanding, or they indeed check what kind of
On 30 March 2014 17:26, Marc Haber mh+debian-de...@zugschlus.de wrote:
I find this somewhat a fair deal. If you make money from your web
site, you should pay for the certificate.
Where do you draw the line? Does a commercial company hosting a website,
say for documentation for a commercial
On Wed, 26 Mar 2014 14:32:49 +1100, Dmitry Smirnov
only...@debian.org wrote:
On Tue, 25 Mar 2014 15:29:12 Marc Haber wrote:
only...@debian.org wrote:
I just want to note that Startcom is no match to cacert.org in regards to
free SSL certificates. Some years ago I got free certificate from
On 29 March 2014 18:10, Marc Haber mh+debian-de...@zugschlus.de wrote:
My last renew of a startcom certificate was in February 2014. I guess
you were victim of misunderstanding, or they indeed check what kind of
service a certificate is used for and decide whether to continue to
offer the
On Tue, 25 Mar 2014, Wouter Verhelst wrote:
Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
standard in August 2012[1]. And DNS servers haven't support for them
since recently (I'd say 6 months to 1 year).
DNS servers have supported them for years; RFC3597 is
Edward Allcutt wrote:
Le 24/03/2014 14:23, Raphael Geissert a écrit :
If only people actually used DNSSEC and DANE - Chromium/Google Chrome
dropped support for the latter due to the lack of use[1].
[1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
I believe you are mistaken.
On Mon, 24 Mar 2014 12:22:53 +1100, Dmitry Smirnov
only...@debian.org wrote:
I just want to note that Startcom is no match to cacert.org in regards to free
SSL certificates. Some years ago I got free certificate from Startcom but a
year later Startcom refused to renew it for free.
They renew
Marc Haber mh+debian-de...@zugschlus.de (2014-03-25):
They renew their certificates only in the last (two?) weeks of the
lifetime.
Correct, two weeks.
Mraw,
KiBi.
signature.asc
Description: Digital signature
On Tue, 25 Mar 2014 15:29:12 Marc Haber wrote:
only...@debian.org wrote:
I just want to note that Startcom is no match to cacert.org in regards to
free SSL certificates. Some years ago I got free certificate from Startcom
but a year later Startcom refused to renew it for free.
They renew
Marco d'Itri wrote:
I suggest that anybody who wants to partecipate to this debate should
clarify if their goal is:
- choosing appropriate defaults for the general population of our users
- taking a stand against the PKI system
As a co-maintainer, any email that falls in the second category
Le 24/03/2014 14:23, Raphael Geissert a écrit :
Anyway, I strongly recommend that nobody waste their time on an issue
which in a couple of years will be much less relevant thanks to DANE.
If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped
support for the latter due
On Mon, 24 Mar 2014, Adrien CLERC wrote:
Le 24/03/2014 14:23, Raphael Geissert a écrit :
Anyway, I strongly recommend that nobody waste their time on an issue
which in a couple of years will be much less relevant thanks to DANE.
If only people actually used DNSSEC and DANE -
Le 24/03/2014 14:23, Raphael Geissert a écrit :
Anyway, I strongly recommend that nobody waste their time on an issue
which in a couple of years will be much less relevant thanks to DANE.
If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped
support for the latter due to
Le 24/03/2014 22:18, Edward Allcutt a écrit :
I believe you are mistaken. That blog post is about Google's own
design for DNSSEC stapled certificates . Not DANE.
I figured it out after a more careful reading. I forgot about this trial
from Google, that was obviously not used enough to be useful.
On Mon, Mar 24, 2014 at 02:58:55PM +0100, Peter Palfrader wrote:
On Mon, 24 Mar 2014, Adrien CLERC wrote:
Le 24/03/2014 14:23, Raphael Geissert a écrit :
Anyway, I strongly recommend that nobody waste their time on an issue
which in a couple of years will be much less relevant thanks to
Dmitry Smirnov only...@debian.org wrote:
I've just noticed that cacert.org certificates was removed from
ca-certificates a month ago. From changelog [1]:
* No longer ship cacert.org certificates. Closes: #718434, LP: #1258286
[...]
FWIW there is an article about it on
On Sun, 23 Mar 2014 07:55:05 Andreas Metzler wrote:
FWIW there is an article about it on
http://lwn.net/Articles/590879/
Thanks but LWN subscription is needed to read...
(Alternatively, this item will become freely available on March 27, 2014).
--
Regards,
Dmitry Smirnov
GPG key :
On Sun, Mar 23, 2014 at 3:11 PM, Dmitry Smirnov wrote:
On Sun, 23 Mar 2014 07:55:05 Andreas Metzler wrote:
FWIW there is an article about it on
http://lwn.net/Articles/590879/
Thanks but LWN subscription is needed to read...
(Alternatively, this item will become freely available on March 27,
]] Dmitry Smirnov
On Sun, 23 Mar 2014 07:55:05 Andreas Metzler wrote:
FWIW there is an article about it on
http://lwn.net/Articles/590879/
Thanks but LWN subscription is needed to read...
Use http://lwn.net/SubscriberLink/590879/fef0c71560078461/
--
Tollef Fog Heen
UNIX is user
On Sun, 23 Mar 2014 08:54:20 Tollef Fog Heen wrote:
Use http://lwn.net/SubscriberLink/590879/fef0c71560078461/
Interesting article (thank you for link).
I just want to note that Startcom is no match to cacert.org in regards to free
SSL certificates. Some years ago I got free certificate from
I suggest that anybody who wants to partecipate to this debate should
clarify if their goal is:
- choosing appropriate defaults for the general population of our users
- taking a stand against the PKI system
Anyway, I strongly recommend that nobody waste their time on an issue
which in a couple
I've just noticed that cacert.org certificates was removed from
ca-certificates a month ago. From changelog [1]:
* No longer ship cacert.org certificates. Closes: #718434, LP: #1258286
I'm disappointed by this decision and from #718434 I don't get
a clear picture what is wrong with
44 matches
Mail list logo