This is as days pass by, by Stuart Langridge

And this is Certification, written , and concerning Web

Lots of discussion on Planet Gnome about self-signed certificates and SSL and so on. I wonder if the Linux distros should get together and create a new CA, and then install that CA's root certificate in browsers? So that way, things like various project bugzillas will have a legit SSL certificate without having to pay if they don't want to. Of course, this new FreeSoftwareProjectCA would still have to go through the same verification processes to ensure that a given certificate is being asked for by the right people, etc, etc. Obviously, the root certificate would only be installed in your browsers if you get them from your distro (because the distros would add them to their browser packages) -- this means that people on Windows or who install their own copy of Firefox (or whatever) would still get the "this is a certificate I don't recognise" warning. However, that's no worse off than it is now, and I think it's reasonable to assume that people who use bug-tracking sites for free software projects running on a free software OS are disproportionately people using that OS who will therefore have the certificate. (Update: johnath says "StartSSL, in the Firefox 3 root store, offers [SSL certificates] for free", which might have the same effect; I don't know whether StartSSL's root certificate is in other browsers, but that's no worse than the idea that I propose above.)

Comments

Mark Brown

There's already a CA maintained by SPI (mostly used by Debian) as well as cacert.org.

sparkes

Bollocks my openid didn't work :( Still you know it's me by all the mistakes ;)

anyway as I was failing to say love the new look reminds me of the old newspaper stylings you tried a while back very clean.

The idea of a CA for free and open source peeps to use for free also solves the problem of what projects do with money they are given.

Anonymous Coward

StartSSL certs are trusted by Firefox and Safari - and reports are saying Kopete isn't trusting them by default, neither IE. But still - It's great to see free trusted certs widely used.

Angel Marin

I've done a quick test with a StartSSL free cert. It seems to be signed with a CA not installed in FF3 (at least fedora's, haven't tried with mozilla supplied binaries). That's for server certs, client certs seem to be fine though.

Linux Training India

A lot of discussion has been done about this on Planet Gnome.. I really think linux distros should come up with a new CA.

This website belongs to Stuart Langridge. Contact details are available. Don't eat yellow snow. Valid HTML5, at least in theory, except for the bits that aren't because I'm that futuristic that I'm ahead of the spec, oh yes. HTML5 help from Bruce Lawson, among others. Fonts from the superb FontSquirrel. End.