[Ach] StartSSL for Business Sysadmins

ianG iang at iang.org
Tue Jan 14 09:38:52 CET 2014

On 14/01/14 10:51 AM, Tobias Dussa (SCC) wrote:
> Hi,
> On Mon, Jan 13, 2014 at 08:42:15PM +0100, Rainer Hoerbe wrote:
>> My point was that a highly secure cert from SuperSecureCA.com does not make my
>> server better, because it can always be impersonated from weaker CAs. It is
>> the lowest common denominator that counts.
> That depends entirely on how the client is set up and CAN be addressed.  That is
> EXACTLY the point: Whining about how everything is broken if implemented in a
> stupid way is nice, but what is needed is some advise on what to do about it
> sensibly.

Write it?  Provide it?

I'm not sure clients can be set up and addressed.

It might be possible to provide advice for a corporation to setup and
configure all its web browsers, but I hadn't heard this was easy.  The
big problem with web browsers is that they assume that all CAs are the
same, and as you so manifestly say, this isn't the case.

So either the corporate reconfigures the root list (to what? not easy)
or the the browsers display the CAs prominently (which they refuse to do
normally, is there a config that will make them do that?) and we get the
users to learn their favourite brands.

What is it that you are hinting of?  If you can add to this, I'm not
proud, I'll be the first to steal you advice and push it through CAcert :)

>> Those "Free" packaged are not really free. Either the cert is a marketing
>> tool, or there is some other business model. Startssl.com ist not 100% free,
>> e.g. they charge for revocation.
> So what's the business model for CAcert?

Good and difficult question.  For CAcert, it's mission is more or less
to protect its members.

It's members universally wanted the CAcert root to be in the root list
they could get away from popup madness, and that was its 2000s goal.
But that has failed.  Won't happen.  So CAcert is in dire need of a
future business model.

As a "cost" equation, using CAcert certificates is actually quite
expensive (leaving aside the root list issue).  You have to get assured
and that can take some time and visits and expense.  I also noticed
somewhere that StartSSL charges $60 per year for this ...

> Or for the DFN PKI?

Q for others!


More information about the Ach mailing list