Make CAcert a valid certificate-authority now!
At the moment Diaspora does not accept CAcert as valid certificate authority and as a consequence people using CAcert-certificates (and these are many) will not be able to communicate with other pods properly.
Admins already using CAcert may not create separate startSSL-certificates (as suggested in the wiki) just because of being annoyed and run their pod with "invalid" CAcert-certificates resulting in malfunctioning synchronization with other pods. Also users of CAcert-pods are not able to use Diaspora-apps such as cubbi.es due to their unaccepted certificates.
In short I think that the growth of the Diaspora-podnet suffers from the exclusion of CAcert.
This is why I want to vote for including CAcert as-soon-as-possible as a valid CA into the Diaspora project!
Alex started a proposal Thu 8 Aug 2013
Optionally accept CACert as certificate authority Closed Thu 22 Aug 2013
Make Diaspora pods optionally accept CACert-signed certificates.
In this way the Diaspora network does no longer depend on commercial SSL-certificates, as would be appropriate for an open, community-driven project as Diaspora.
Concerning security CACert could even be considered more secure than for example StartSSL because private keys never leave the host of the user, while with StartSSL it is possible to have private keys being created on the StartSSL website.
Make CACert support an optional configuration-setting (not accepting by default) to come up to the objections of some users not wanting to accept CACert as certificate authority as long as they are not "generally" accepted by Microsoft and Mozilla.
- Then once CACert is "generally" accepted we could make it the default behaviour for Diaspora pods to accept their certificates.
|Agree - 11|
|Abstain - 11|
|Disagree - 11|
|Block - 11|
Thu 8 Aug 2013
I don't want to request any action from the user. We need to open our network to non-geek people. Joe Average will not accept a warning certificate, he will simply not you the application, especially if he has to do it on desktop, mobile, etc...
Mon 12 Aug 2013
Given all the problems I was not aware of when opening the discussion I changed my mind ...
Thu 15 Aug 2013
Cypherpunk networks can just trust the necessary Certs themselves. If this was official, users would get security errors/warnings when seeing content from CACert pods. I agree that the state of SSL and the Cert system sucks, but we can't change that.
Wed 21 Aug 2013
I would say yes to the proposal, because non-commercial certs are very nice. But in fact I think, this proposal is about changing the protocol. And maybe we should ask ourselves, if we still need certs in the protocol.
Thu 22 Aug 2013
Sorry, this just seems like a bad idea. I don't see what the upside to this would be. Having sites that pop up warnings would just create dead ends in the Diaspora network.
Thu 22 Aug 2013
In the after NSA leaks era, I don't think that any of the commercial CAs are to be trusted. I vote in favour of CAcert to be accepted in diaspora
Thu 22 Aug 2013
I am a big supporter of CAcert, I received my first certificate in 2006 and I'm an assurer. I'd love to see CAcert support in pod to pod communication, as XMPP is doing it at the moment.