[TYPO3-typo3org] Signed SSL-certificate

Michael Stucki michael at typo3.org
Mon Feb 22 14:20:01 CET 2010 

Hi Dmitry,

>> You're sure you've read about CACert? They are in the process of getting
>> included in the official Firefox.
> 
> What about MSIE, Opera, Safari?

Without support and initiative it will definitely never happen,
otherwise maybe...

> I still do not see a reason for forcing people to import any unknown
> certificate authority root to their browsers. If CA root comes with a
> browser, it is surely verified by a browser vendor. If it is not
> included, may be there is a reason.

As Martin already said, the reason is money.

> How can I be sure that cacert.org is good and secure? I am against
> importing everything that some site may request. It is a path to taking
> more and more insecure decisions later such as "Oh, this Java applet is
> signed by JohnDoe, let's allow it access to my local files! It signed,
> so it is ok." Bad idea really...

I strongly disagree that CAcert is insecure in any way! In fact, I have
more trust in a certificate which is checked by individuals without
financial motivation (some of them which I even know personally) rather
than a company which I have never heard of (Certplus, Comsign,
Dhimyotis, etc.).

> Ingmar, it really looks that TYPO3 took this user–unfriendly step only
> to save $200 on a proper certificate. Why else would TYPO3 use a free
> unknown certificate that annoys users? As you see, this question pops up
> from time to time and devs are not happy. Forge is for devs, so why
> typo3.org team does not want devs to be happy in this case?

Who says that devs are not happy?

> What was the reason to choose an untrusted certificate for typo3.org?

It is trusted! It's just not approved by factory default.

The reason was that we did not even think about such a discussion. To be
 honest, I would have expected more support for a related initiative
like this.

The goal was to provide encrypted authentication, that's why we needed
an SSL certificate. After all we don't need it to prove our identity,
it's just a nice side-effect that this is provided.

- michael

More information about the TYPO3-team-typo3org mailing list