CACert?

[Christopher Schmidt]

On Tue, Oct 25, 2005 at 03:39:01PM -0400, John Abreau wrote:
> Bill McGonigle wrote:
> 
> >Are there others here who use or are interested in using CACert 
> >certificates?  I'm a 150-point notary now, and if we get two others we 
> >can churn out more notaries.  We also have the option of having a 
> >keysigning event where CACert will lend temporary points.
> 
> Did anything ever come of this thread? I'd be interested in becoming a 
> notary, and
> I imagine a number of my members would be, too.

After this thread, I joined the mailing lists for CACert, and that, if
nothing else, convinced me that putting effort into the CACert process
is a wonderful goal in theory, but difficult, confusing, and troubling
in practice.

The documentation for the certificates generated (especially for users
who don't really know what they're getting) is poor. It's unclear to
most users on the support lists that using a CACert certificate will
still result in the browser asking for confirmation. 

All changes in the way things are done are done by committee, using the
wiki to prep changes first. As in all projects which use this method,
this simply means that everything boils down to a series of arguments
over trivial facts and nothing is ever done.

I already discussed the number of issues I had with finding the
information on the website, but the mailing lists are even less helpful
(although this may be in part due to language barrier: there are a
number of translators on the project, but I've seen very few posts that
seem to speak English fluently, judging by their responses).

Oftentimes, a simple issue takes a 5 email thread to get to any
resolution, and even when it does happen, it often seems incomplete.

The established procedures do not instill in me any sense of trust of
the process or the system under which CACert is proceeding. As such, I
have chosen to, for the time being, participate only as a lurker, since
I have relatively little to add to the process. I speak as an outsider,
but at this point I have much more trust in companies like Verisign and
Thwate than I do in CACert, largely for technical reasons more than
anything else. I don't feel that the administrators of the project have
established that they have the neccesary technical skills to take the
precautions neccesary to ensure the safety of their certificate signing
procedure given what I have seen.

(This is very harsh to the entire project, so I would like to state that
this is my own opinion from the past 2-3 weeks of watching conversations
on the more active mailing lists for the project, and may be wrong or
slanted by my personal biases, such as being only an English speaker, or
other experiences which may slant my opinions.)

-- 
Christopher Schmidt