savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-help-public] missing SSL cert from savannah site

From: Yavor Doganov
Subject: Re: [Savannah-help-public] missing SSL cert from savannah site
Date: Fri, 16 Oct 2009 22:01:56 +0300
User-agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (Gojō) APEL/10.7 Emacs/23.1 (i486-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) 
Matt Lee wrote:
> I don't think this is about clueless users, and I find it pretty sad
> that we're talking about people like that.

OK, I withdraw my words.  What this is all about, really?

> Free software is for everyone, and used by people who may seem
> clueless about this problem, but it's because they've never had to
> deal with it before!

Right.  So you seem to say that we should ensure that they don't have
to deal with this when authenticating with Savannah by purchasing a
certificate from a CA that is approved by the top web browser
distributors?  Is that right?

> For me, this is about trust, plain and simple.

For me, likewise.  I don't think we should pay even a penny to certify
that we are we.  Even though the cost is negligible, this is a matter
of principle.

> If users are doing things in a secure manner on the web, it should be
> done over HTTPS, and that means paying the certificate folks for a real
> certificate that is included in all the browsers people use.

No.  What you call "real certificate" is debatable.  You can certainly
have "real certificate" without "paying the certificate folks".  The
system administrator decides what CAs to trust, and users can always
override his choice.  This discussion seem to be about bowing before
Mozilla's and Microsoft's specific choice of CAs.

> We want people to trust the GNU project and the FSF.

Don't exaggerate.  Authenticating the connection with the Savannah
server has little to do with the general trust in the GNU project and
the FSF.  Needless to say that you can perform 99% of the useful tasks
without HTTPS access at all.

> Broken SSL certificates like this one,

Please.  Our certificate is not broken.

It may appear broken to people who have no clue what an invalid
certificate means, in which case we provide palatable documentation
with explanation and simple steps to perform the validation, which is,
in all cases, much better security-wise from the standpoint of the
ordinary user whose interests both parties intend to protect.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]