Which is what I fear will happen with this project. No list of which browsers/OSes will include their root certificate, although it does mention Mozilla being involved.
As a school, we used to be able to get a free certificate from ipsca but they’ve stopped now and even when we could it wouldn’t work with anything other than IE and Chrome on Windows. Interestingly, this was not really a problem at the start of the 3 year certificate but was annoying everyone greatly by the end.
Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
What information would be in these records?
Why does EFF get top billing here?
I know a number of Mozilla people who were essential to making this happen (such as Joshua, who is running the effort and the CTO of Mozilla, Andreas).
Last I knew, the issue with cacert was that they still needed to complete a set of audits before they could meet the inclusion policies for various browsers. I look in on the project once in a blue moon to see where things stand, but there hasn’t been a whole lot of information to judge the progress without digging in deep.
I would hope that with the EFF and Mozilla folks backing this project, they might be able to get over that hurdle a bit more easily. I’m a little worried though that they’re centering it around their own software to handle everything… automated processes are fine, but there’s times/situations when I’d prefer just handling it myself.
Indeed - they also mention installing it by apt-get - would be a shame if there’s not a windows version.
This is great news, though it does kinda sound too good to be true. As knelmes mentions, my first thought was “what about the browsers?” They don’t seem to address the issue on the website but I’ll be keeping an eye on it over coming months.
Could be nice as long as
- the root key gets widely distributed to browsers and other things which depend on TLS working right. That might also mean a heck of a lot of embedded systems too.
- they clear up the less than clear parts about verifying the entity owning the cert rather than just using DNS match ups to verify the server itself.
In any case,don’t forget that SSL/TLS only protects data in transit and does nothing for data on servers, it aint a magic wand.
This topic was automatically closed after 5 days. New replies are no longer allowed.