Hello,
Could you please start using a "normal" certificate on https://mail.fsfeurope.org ?
It feel frustrated when I advocate about FSFE and try to get new Fellows, and when I meet some of the people later they say they tried to start by joining the mailing list, but since there was a certificate error, they stopped and later forgot to try again. It's not nice to loose potential new Fellows because of this..
I too think CA-cert is a good idea, but we shouldn't use it before the root certificate gets accepted at least into Firefox. There is no point in trying to promote CA-cert in a way where visitors don't even see any text explaining why we have this errors and what CA-cert is about.
- Otto Kekäläinen otto@fsfe.org [2010-06-02 16:07:08 +0300]:
Last November I asked you to use an proper SSL/TLS-certificate on the Fellowship-join page, so that potential new Fellows whould not be put off by the SSL warnings their browser gave.
You fixed that - thanks!
Now I'd ask you to get a proper certificate also for the mailing list server too.
I've noticed that some people who would like to subscribe to the fsfe-fi@-list don't do it because of the security warning they get when they visit the page https://mail.fsfeurope.org/mailman/listinfo/fsfe-fi
It should be as easy and safe as possible for people to join our mailing list, so that our announcements etc will reach maximum amount of interested people.
Hi Otto,
* Otto Kekäläinen otto@fsfe.org [100826 20:18]:
Hello,
Could you please start using a "normal" certificate on https://mail.fsfeurope.org ?
It feel frustrated when I advocate about FSFE and try to get new Fellows, and when I meet some of the people later they say they tried to start by joining the mailing list, but since there was a certificate error, they stopped and later forgot to try again. It's not nice to loose potential new Fellows because of this..
I too think CA-cert is a good idea, but we shouldn't use it before the root certificate gets accepted at least into Firefox. There is no point in trying to promote CA-cert in a way where visitors don't even see any text explaining why we have this errors and what CA-cert is about.
I'm sorry I have to say that, but things are not as easy as you might think. There are a few things I want to point out to you:
SSL certificates are expensive. I know some providers give them away for free, but AFAIK none of them allows you to use SAN [1] with your free certificate. This is however something we use quite extensively. For example, after starting to use a GoDaddy certificate for the Fellowship login pages (which are also used for the initial registration) people started to encounter errors when using the Fellowship SVN because it is hosted on the same server. If you can find us a sponsor for a wildcard certificate, this problem might be solved.
If you are actively advocating about FSFE, why don't you point people on these potential issues? I really think that they will understand the problem if you explain them that FSFE can't grow money on trees. It is quite easy to install the CAcert root certificate even for inexperienced users. AFAIR there is a page on our wiki about the issue too.
Another thing I don't understand is why we should make our decision about using CAcert dependent on Mozilla's decision about it. Some Google guys used the same argumentation for not including the CAcert root in Android (although it is the ca-certifcates package in Debian and friends) - which I personally consider rather stupid. Instead of stepping back we should merely go ahead in promoting CAcert and try to make people ask Mozilla and other developers to include CAcert's root certificate in their products.
As a certified CAcert assurer I can also promise you that CAcert's system of checking your identity is much better as, for example, the procedure of StartSSL - which is another reason why we should actually increase our usage of these certificates.
[1] http://en.wikipedia.org/wiki/Subject_Alternative_Name
All the best, Martin
p.s. This e-mail has been signed using a certificate issued by CAcert.
On 26/08/2010 21:01, Martin Gollowitzer wrote:
- Otto Kekäläinen otto@fsfe.org [100826 20:18]:
I too think CA-cert is a good idea, but we shouldn't use it before the root certificate gets accepted at least into Firefox. There is no point in trying to promote CA-cert in a way where visitors don't even see any text explaining why we have this errors and what CA-cert is about.
Instead of stepping back we should merely go ahead in promoting CAcert and try to make people ask Mozilla and other developers to include CAcert's root certificate in their products.
Sorry for forking, my last wish is to prevent people from discussing all parts of this very interesting discussion. Still I would like to pop in and just ask this simple question: Have people from CAcert started/went on on a discussion with Mozilla developpers about this opportunity? If yes, would you have a pointer for me/us to learn more about what was said? If no, I would make myself a pleasure to start such a discussion, if I may.
Cheers, Nicolas
* Nicolas JEAN nicoulas@fsfe.org [100827 13:31]:
Sorry for forking, my last wish is to prevent people from discussing all parts of this very interesting discussion. Still I would like to pop in and just ask this simple question: Have people from CAcert started/went on on a discussion with Mozilla developpers about this opportunity? If yes, would you have a pointer for me/us to learn more about what was said? If no, I would make myself a pleasure to start such a discussion, if I may.
The discussion about this topic was started years ago. Mozilla's requirements for CA inclusion have meanwhile changed (CAcert actually helped Mozilla IIRC) and what is actually missing is and independent Audit of CAcert, which is AFAIK stalled atm. Mozilla did however *not* kick out CA's not meeting the Audit requirement after the Policy had changed. So maybe what is even more needed than pressure on Mozilla and CAcert is helping with the audit - which is something we could of course also encourage people to. For detailed information and information sources, please ask the search engine of your choice. The article about CAcert in the german Wikipedia also lists some sources (I haven't read the English one, sorry).
All the best, Martin