On Aug 19, 2009, at 2:56 PM, Phil Leinhauser wrote:

All that money on expensive certs I've spent!!! That one works for me!


seriously :)

bear in mind, however, that the CAcert.org root certificates are not included by default in many major browsers, which means that users need to manually install them. how is this an improvement over self- signed certs? it's an improvement in that once a user installs the CAcert.org roots *once*, he then has secure access to *all* sites and services that use CAcert.org-issued certificates; the user (or, for a larger organization, the tech support staff) need to do the same amount of work, but the benefit is much greater.

if you're going to use CAcert.org-issued certs, i strongly recommend that you get yourself well-linked into the web of trust. read this document (http://wiki.cacert.org/wiki/FAQ/AssuranceIntroduction) to learn how to get your trust points up; if you can attend an "assurance party", you can quickly pass the first milestone, and in addition you can visit your local Notary Public, have your identity verified and notarized, and send the paperwork off to CAcert.org in order to get a big chunk of points (they call this Trusted Third Party assurance). once you pass your first milestone of trust points, you can get certificates that last for two years rather than 6 months, this is a major convenience :)

in short: i can't in good conscience recommend that you use a cert from CAcert.org for a commercial service unless you have some other mechanism (e.g. tech support staff, or an autoinstaller, or something) for pushing out the root certs to your users' machines, not because of any concern about the security or trustworthiness of CAcert.org, but because people will see scary SSL warning and you may lose business. on the other hand, for any non-commercial purpose, they're *AWESOME*, and in addition to saving money, you're supporting an excellent cause.

-steve

--
If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
http://five.sentenc.es

Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to