CACert?

Christopher Schmidt crschmidt at crschmidt.net
Mon Oct 10 17:32:13 EDT 2005 

On Mon, Oct 10, 2005 at 05:02:25PM -0400, Bill McGonigle wrote:
> On Oct 10, 2005, at 16:34, Christopher Schmidt wrote:
> 
> >but still doesn't answer the one
> >question I really have: can I use these certificates and not have my
> >clients in IE get an error message?
> 
> No.  Well, sort of.  If the user has the CACert root certificate 
> installed he won't see a warning.  He can get that from you, from a 
> link on your website, whatever.  But it's not shipped by IE or Firefox 
> by default.  IE requires $70,000 to get included (IIRC) and M
> Mozilla is confused about what to do.  They're working on it but with 
> only 2000 notaries world-wide it's arguably hard to justify.  

Yeah, I picked that up from clicking through and some foreknowledge, but
wanted to make sure -- something the website doesn't tell me.

Is there a drive of any kind to collects this money? It seems like a
great way to fight the Verizon/etc. trust monopoly, but so many pople
simply won't trust certificates not created by an authority that IE will
trust. $70,000 doesn't seem like too gigantic of a price to pay,
especially if you get corporate entities (web developers tired of paying
exorbiant rates come to mind) involved. 

How often are IE's certs updated? Is it a service pack kind of deal, or
a "new version" deal?

> I believe 
> Opera and Konqueror are including it. (aside: your browser only trusts 
> [Verisign/Thawte/GTE,etc.] because the browser ships with their cert.)  
> On the upside, a user need only once install a CACert root certificate 
> - this is one advantage over self-signed certificates.

Indeed. Hadn't thought of that.

> >However, it seems like an interesting project, and one I would like to
> >assist in. Does anyone know who to contact to get involved in their
> >website creation? It's very possible that it's run by people who aren't
> >English fluent, or people who simply don't have time to invest in it,
> >and I'm willing to put my time and money where my mouth is, given the
> >right contact point.
> 
> Try duane at cacert.org.  Maybe twice.  Your characterization of the 
> management is not incorrect, but their heart is in the right place.  
> Ditto for the website.  Also try their Wiki for more useful reading.

Don't see a wiki link from their website -- another faux paux. 

> They certainly do need help but if one is displeased with the current 
> $300/yr-for-nothing regime that is SSL certificates, this seems like 
> the only way out.

Agreed, although it's not the only way, surely. Some cert organizations
that do work in IE are significantly cheaper: Comodo or something like
that is only $50/yr, if I remember correctly. Hm... looking, seems like
it's issued under the AddTrust Root CA. Ah, $50/yr if you buy 2 years --
http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-instantssl.html

Not perfect, but another option in the interim.

In any case, I'll try and ping duane. My major concern is simply that
corporations -- large groups of people who might be able to increase the
validity of efforts such as this one, through viral marketing -- may not 
be taking to the effort due to lack of significant marketing speak. I
would not want to point a client of mine to the CACert website as it
stands. Granted, I'm a small-time nobody atm, but that's the way it is.

-- 
Christopher Schmidt
http://crschmidt.net/

More information about the gnhlug-discuss mailing list