CACert?

Christopher Schmidt crschmidt at crschmidt.net
Wed Oct 26 09:36:01 EDT 2005


On Wed, Oct 26, 2005 at 09:18:36AM -0400, Paul Lussier wrote:
> crschmidt at crschmidt.net (Christopher Schmidt) writes:
> 
> > After this thread, I joined the mailing lists for CACert, and that, if
> > nothing else, convinced me that putting effort into the CACert process
> > is a wonderful goal in theory, but difficult, confusing, and troubling
> > in practice.
> [...]
> > The established procedures do not instill in me any sense of trust of
> > the process or the system under which CACert is proceeding.
> 
> [...]
> 
> >  at this point I have much more trust in companies like Verisign and
> > Thwate than I do in CACert, largely for technical reasons more than
> > anything else. I don't feel that the administrators of the project have
> > established that they have the neccesary technical skills to take the
> > precautions neccesary to ensure the safety of their certificate signing
> > procedure given what I have seen.
> 
> Perhaps GNHLUG, or some interested member could start a parallel
> project whichhh works better?

Although in spirit this might be the right thing, I think that it would
be better for people to get involved in CACert. Anyone with a strong
hand to lead discussions and work through the existing "beuracracy" in
CACert would probably be welcomed. The people are not unfriendly, or
unkind towards new people trying to help, it's simply more difficult
than joining into a 1-2 man project: it's a project with dozens of
contributors, of everything from support to technical know how to Web of
Trust coordinators. 

I have enough energy to lead an effort like that, if I came in at the
beginning, but not enough effort to find my way into the woodwork that
would be required to participate in any meaningful way.

This is true of a large number of open source projects, too: Things like
Mozilla (or Debian) become so huge that there is a beuracracy to
contributing to them. CACert is the same idea. Smaller projects tend to
attract more contributors, as do projects with less "legacy" to deal
with. Changing CACert's website in one language would be a relatively
easy task, but changing it in the 17 different languages it's offered in
is difficult and requires significantly more effort.

CACert is the head of the game. I don't think that starting a parallel
project is best for the aim -- that of creating a web of trust network
for signing server certificates. I think that what could be useful, if
someone was interested, would be to create a small, dedicated team which
created a plan to change the way in which CACert presents itself, pull
in the neccesary people for translations and so on, and get things done.

It has repeatedly been my experience that a small group of people
working together can achieve far more in a far shorter period of time
than a worldwide network of people can. Enough eyes make every bug
shallow, but they also make bikeshedding far too common. (I'm guilty of
this as well.) When you have hundreds of people trying to get their say
in, you just get a cacophony of noise rather than a usable result, and
that's no good for anyone.

Unfortunately, I'm being critical in a situation I hate to do so in: I
don't currently have the free time to contribute to such a group, so
anything I say is just blabber coming out of my mouth rather than a
dedication to help. I hate doing that, so I realize that my comments may
be taken with slightly less importance. My suggestion stands though:
create a small knowledgable team, get the information that people need
to know, and get it out there with a professional look. That's what
CACert needs more than anything else.

-- 
Christopher Schmidt



More information about the gnhlug-discuss mailing list