When I generate my own CA for my company (or the company's IT people generate a private CA for the company), it's reasonable to trust that CA. Or, if you want to nitpick, trusting that CA is likely a necessary precondition for accessing the company's internal IT resources and is therefore a necessary precondition for doing your your job.
As for StartSSL, a quick google search turns up some disturbing issues with it. Their reaction to the Heartbleed problem earlier this year is particularly worrisome: A quote from Mozilla's bugzilla issue tracker: https://bugzilla.mozilla.org/show_bug.cgi?id=994033 The business model for this free tier is based on profiting from security > breaches. StartSSL lures in users with free certificates without making it > clear that there is a revocation fee. During a crisis when users of these > certificates are most vulnerable, they attempt to extort money with this > fee. Many people are using the free certificates because they can't or > won't pay fees like this. Certificates signed by StartSSL are no longer > trustworthy, because the people who own the certificates can not revoke > them even if they want to without paying an unexpected fee. On Mon, Dec 22, 2014 at 6:53 AM, Edward Ned Harvey (blu) <b...@nedharvey.com> wrote: > > From: discuss-bounces+blu=nedharvey....@blu.org [mailto:discuss- > > bounces+blu=nedharvey....@blu.org] On Behalf Of Jack Coats > > > > I haven't been following this thread, but is cacert.org certs wide > > spread enough without users having to add certs (import)? > > No, but startssl is. > _______________________________________________ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > -- John Abreau / Executive Director, Boston Linux & Unix Email: abre...@gmail.com / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6 PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23 C2D0 E885 E17C 9200 63C6 _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss