At the end of the day, most certificates can just be considered 'domain validated'. The 'green-bar'-certificates ('Extended Validation') ones are what used to be the what they did. Maybe they even do more with EV, but all the others are just 'domain validated'. Let's not kid ourselfs.
What does that mean ? You upload a certificate request on the site it downloads the whois-information does some automated checking from the addresses in the whois you choose which one to mail it to (or one of these: admin@domain.tld postmaster@domain.tld webmaster@domain.tld hostmaster@domain.tld ) and they send you an email and you click the link and they will do some generic checks and if it looks valid and a certificate is issues.
This isn't about what the user wants, it is about the users freedom.
In the US people can choose to buy guns and not have healthensure. That is their choice, they have freedom. It might not be something they want to... that is a totally different thing.
Many people that have tried Apple products have actually said they do not want this restricted stuff and want to be allowed to do other stuff with those products but Apple says no. Those are not happy users, Apple doesn't are for their wishes, they restrict what they can do. On purposely restrict what they can do. So less freedom.
OK, there is this long discussion above about freedom.
The creators of the GPL(v3) have one party in mind when they talk about freedom. It is not the developers, it is not the businesses. It is about the users of the software. They want to give as much freedom to the user first. This means the user of the software should always get the source of the software he is using so he/she does not depend on one vendor. There are some clauses about patents too, but they are also about giving the users of the software the ability to take the source and go to an other developer and having them add or remove other functions the original developer didn't want to do.
The BSD-license is about giving the developer the most freedom. They can sell it commercially, adopt it as something new and don't give anyone else the source.
Apparently Apple isn't about giving users the most freedom, but I guess you already knew that.;-)
A CRL is a list of all the id's which have been revoked and the list as a whole is a re-signed/re-encoded everytime something is added, so the whole list is downloaded each time.
Did you know that for every revoked certificate which makes it on the list it adds atleast a terabyte of traffic for the CA per year. That is just one cert.
Do you really think it will work reliably for normal users ? For technical users, I would just like to have the ability to restrict a CA to a few domains so when I visit a self-signed site like you mentioned. I can just add the CA to my CA-list, but just for that domain.
Probably something like publishing your certificate information in DNS and verifiable with DNSSEC is the real solution ?
Slashdot Mirror
I totally agree we should add that, there is just one problem.
The root, .net and .com and so on are controlled by the US-government-agency.
So you replace many CA's by one 'CA' which might have different 'priorities' than you.
Because the format sucks:
http://www.youtube.com/watch?v=54XYqsf4JEY
The format is ambiguous.
I think their are 2 reason why browser builders ware adding PDF-readers to the browser:
1. process seperation (the add-on can crash the browser)
2. security, Acrobat Reader has far, far to many features which makes it insecure
You can use the startssl-certs for websites too btw. Not just for mail.
Dirt cheap ? How about free: https://www.startssl.com/
Maybe Comodo is, but not their 'resellers'
At the end of the day, most certificates can just be considered 'domain validated'. The 'green-bar'-certificates ('Extended Validation') ones are what used to be the what they did. Maybe they even do more with EV, but all the others are just 'domain validated'. Let's not kid ourselfs.
What does that mean ? You upload a certificate request on the site it downloads the whois-information does some automated checking from the addresses in the whois you choose which one to mail it to (or one of these: admin@domain.tld postmaster@domain.tld webmaster@domain.tld hostmaster@domain.tld ) and they send you an email and you click the link and they will do some generic checks and if it looks valid and a certificate is issues.
Really, that is all.
I have some doubts Mozilla will drop Comodo, I think Comodo is 'to big to fail'.
My guess is they issue 1000s of certs a day, most of them are valid for a year. Those would all stop to work.
They are already doing DNSSEC-services. Would it matter to them what services they sell to people ?
It will take years for this to be rolled out.
Have a look at this recent post by me:
http://slashdot.org/comments.pl?sid=2051242&cid=35598706
Yeah, ok, english is not my first language. Resellers was a bad way to refer to them.
The problem is, their customers don't have a lot of places to go.
I've only visited Canada a few times, but even I know it is mostly Bell for DSL, or Rogers for cable in the ground with some resellers on top.
You probably will be paying the two mentioned above atleast a line or termination fee.
So their isn't much to choose.
Judging by the comments on the article, Java is the same.
This is about people who only know .Net (or Java) and can't think for themselfs.
Actually, many in the comments felt the same way about Java programmers (people who only program in Java).
This isn't about what the user wants, it is about the users freedom.
In the US people can choose to buy guns and not have healthensure. That is their choice, they have freedom. It might not be something they want to... that is a totally different thing.
Many people that have tried Apple products have actually said they do not want this restricted stuff and want to be allowed to do other stuff with those products but Apple says no. Those are not happy users, Apple doesn't are for their wishes, they restrict what they can do. On purposely restrict what they can do. So less freedom.
OK, there is this long discussion above about freedom.
The creators of the GPL(v3) have one party in mind when they talk about freedom. It is not the developers, it is not the businesses. It is about the users of the software. They want to give as much freedom to the user first. This means the user of the software should always get the source of the software he is using so he/she does not depend on one vendor. There are some clauses about patents too, but they are also about giving the users of the software the ability to take the source and go to an other developer and having them add or remove other functions the original developer didn't want to do.
The BSD-license is about giving the developer the most freedom. They can sell it commercially, adopt it as something new and don't give anyone else the source.
Apparently Apple isn't about giving users the most freedom, but I guess you already knew that. ;-)
I think I just realized why this is.
A CRL is a list of all the id's which have been revoked and the list as a whole is a re-signed/re-encoded everytime something is added, so the whole list is downloaded each time.
I guess I remembered it a bit wrong, it was a lot less. But still a lot:
"How much costs ONE revocation? 0.2 KB x ~12,000,000 CRL downloads x 52 weeks x 7 years = More than 850 GB for ONE revocation."
http://twitter.com/eddy_nigg/status/11729927248
(Eddy Nigg owns/operates StartSSL)
Maybe some other CA need get more requests (more sites using their certs ?) and maybe the numbers also go up in the years (more users)
Seems that wasn't the original, anyway. I wanted to post a link to the Beastie Boys :-)
http://www.youtube.com/watch?v=ACraVoR01Yg
In theorie everything in computing can be sabotaged, what is your point ? ;-)
But who cares about boring details, enjoy:
http://www.youtube.com/watch?v=jwVMxR8PcyM
Did you know that for every revoked certificate which makes it on the list it adds atleast a terabyte of traffic for the CA per year. That is just one cert.
Now that I think about it.
Doing selfsigned is not needed anyway ? Because why do you do selfsigned ? Because you don't want to pay for it ?
That problem was already solved last year:
https://www.startssl.com/
Paying for SSL-certificates is not needed anyway: https://www.startssl.com/
Yeah, well, maybe.
Do you really think it will work reliably for normal users ? For technical users, I would just like to have the ability to restrict a CA to a few domains so when I visit a self-signed site like you mentioned. I can just add the CA to my CA-list, but just for that domain.
Probably something like publishing your certificate information in DNS and verifiable with DNSSEC is the real solution ?