On Sat, 9 Nov 2013 21:30:13 +0600 Roman Mamedov <rm@xxxxxxxxxxx> allegedly wrote: > On Sat, 9 Nov 2013 12:50:18 +0000 > mick <mbm@xxxxxxxxxx> wrote: > > > I don't see any problem per se with a self-signed certificate on a > > site which does not purport to protect anything sensitive (such as > > financial transactions). The problem with this particular > > certificate is that the common name identifier is both wrong (www) > > and badly formattted (http://) But both of those errors can be > > corrected very quickly. > > > > Why pay a CA if you don't trust the CA model? > > If your primary objection is the need to pay for certificates (and > not e.g. the possibility of CA itself being backdoored etc), then I'd > suggest considering CACert[1]. It provides free wildcard certificates > which are already trusted out of the box by some[2] FOSS operating > systems such as Debian. > > I'd say it is better than trusting individual self-signed certs, and > somewhat better than using your own root CA cert, since it saves the > effort required to install your own CA on all machines you need to > use it on. > > [1] http://www.cacert.org/ > [2] http://wiki.cacert.org/InclusionStatus > Roman Paying for certificates is not my objection. My objection is to the model which says that "if I give money to a commercial entity in exchange for a certificate, that means that the trust chain is valid." I've actually bought certificates for websites I managed in the past and I am deeply unimpressed with the process. And, as you say, the cert could be backdoored. There are a huge number of CAs from all over the place in the default set shipped in ca-certificates - who do I trust? I have looked at CA-Cert in the past. They have the problem of very limited acceptability (https://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers) But as I said, in my particular case, my certs are there to protect my credentials in transit. I don't have to care about whether others trust me. So I don't need a CA. (Though if I did want others to trust me, I'd probably use CAcert). Best Mick --------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net ---------------------------------------------------------------------
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays