[TYPO3-typo3org] Signed SSL-certificate

[Martin Schoenbeck]

Hi Dmitry,

Dmitry Dulepov schrieb:

> I still do not see a reason for forcing people to import any unknown 
> certificate authority root to their browsers. If CA root comes with a 
> browser, it is surely verified by a browser vendor. If it is not 
> included, may be there is a reason.

Sure. It's the same reason all over again: money. An audit required to get
in the browser isn't cheap. And therefore in this caseno real indication
for the quality of the certificate authority. And nobody is required to
import the CAcert-Root-certificates in his browser. He can simply import
the typo3 certificate alone. What was some years ago the reason to use the
star-office document format for documentation in typo3 and not a document
format with more money behind it?

> How can I be sure that cacert.org is good and secure?

How can you be sure with other certificate authorities? The requirements to
get a certificate are far less on several authorities included in all
browser than they are with CAcert.

> I am against 
> importing everything that some site may request. It is a path to taking 
> more and more insecure decisions later such as "Oh, this Java applet is 
> signed by JohnDoe, let's allow it access to my local files! It signed, 
> so it is ok." Bad idea really...

But that's a very bad idea even if it is signed with a certificate of a big
authority. And again: nobody has to include the root certificate just to
use the typo3 certificate.

> Ingmar, it really looks that TYPO3 took this user–unfriendly step only 
> to save $200 on a proper certificate.

Spreading free certificates is a user friendly step. So the money doesn't
matter. I personally have as much trust into a CAcert certificate than into
other certificate authorities. And if you compare validation schemes,
you'll probably have too.

Martin
-- 
Bitte nicht an der E-Mail-Adresse fummeln, die paßt so.