[Ach] StartSSL for Business Sysadmins

ianG iang at iang.org
Mon Jan 13 11:06:38 CET 2014

Hi Tobias,

On 13/01/14 12:44 PM, Tobias Dussa (SCC) wrote:
> Hi,
> On Mon, Jan 13, 2014 at 12:25:35PM +0300, ianG wrote:
>> My point is this:  I would advise ACH to fight battles we can win.
>> Yes, we can win the battle of httpd config, it's bounded to only a
>> 100 or so params.  We can win StartSSL, or all of the hundred or so
>> smaller systems.
>> IMHO:  we cannot win the battle of Better x509, CAs, certs, etc.
>> Or, if you can, you're a Better man than I, and the thousand others
>> that also tried, and failed, and wasted countless years on it.
> So essentially you don't think we can help make things more secure, X.509-wise,
> because it is too big a task.  Fair enough, I suppose.  Like I said, I do agree
> that it is a huge problem and takes a lot of work.

Well, more or less.  "Too big a task" isn't the real reason but I guess
it's a sort of acceptable compromise :)

> Still, even modest progress would make a big difference IMHO, and I am dead
> certain that a LOT of people would really appreciate sound advice on this
> matter.  Yes, there are many, many guides and papers on this, and most of them
> are utter bullshit.  If we agree that we won't cover anything X.509-related
> because it's too much of an effort, so be it.  I do think that exactly BECAUSE
> it is so hard apparently people need good advice all the way, even if it is not
> the all-encompassing Grand Unified Theory of All Things X.509.

That's absolutely true.  People would appreciate good advice, and it's
really needed.  I spent around 6 years on that project, so I know that,
for sure.  Which might explain why I'm a bit brutal on this topic...

If you wanted to do that, provide good advice, I'd say set up a separate
document and a separate mailing list.


More information about the Ach mailing list