Lots of discussion on Planet Gnome about self-signed certificates and SSL and so on. I wonder if the Linux distros should get together and create a new CA, and then install that CA’s root certificate in browsers? So that way, things like various project bugzillas will have a legit SSL certificate without having to pay if they don’t want to. Of course, this new FreeSoftwareProjectCA would still have to go through the same verification processes to ensure that a given certificate is being asked for by the right people, etc, etc.
Obviously, the root certificate would only be installed in your browsers if you get them from your distro (because the distros would add them to their browser packages) — this means that people on Windows or who install their own copy of Firefox (or whatever) would still get the “this is a certificate I don’t recognise” warning. However, that’s no worse off than it is now, and I think it’s reasonable to assume that people who use bug-tracking sites for free software projects running on a free software OS are disproportionately people using that OS who will therefore have the certificate.
(Update: johnath says “StartSSL, in the Firefox 3 root store, offers [SSL certificates] for free“, which might have the same effect; I don’t know whether StartSSL’s root certificate is in other browsers, but that’s no worse than the idea that I propose above.)
There’s already a CA maintained by SPI (mostly used by Debian) as well as cacert.org.
Posted by Mark Brown on August 6th, 2008.
Bollocks my openid didn’t work :( Still you know it’s me by all the mistakes ;)
anyway as I was failing to say love the new look reminds me of the old newspaper stylings you tried a while back very clean.
The idea of a CA for free and open source peeps to use for free also solves the problem of what projects do with money they are given.
Posted by sparkes on August 6th, 2008.
StartSSL certs are trusted by Firefox and Safari – and reports are saying Kopete isn’t trusting them by default, neither IE. But still – It’s great to see free trusted certs widely used.
Posted by Anonymous on August 7th, 2008.
I’ve done a quick test with a StartSSL free cert. It seems to be signed with a CA not installed in FF3 (at least fedora’s, haven’t tried with mozilla supplied binaries). That’s for server certs, client certs seem to be fine though.
Posted by Angel Marin on August 7th, 2008.
A lot of discussion has been done about this on Planet Gnome.. I really think linux distros should come up with a new CA.
Posted by Linux Training India on August 8th, 2008.