Loomio
Mon 5 Aug 2013 12:32PM

Make CAcert a valid certificate-authority now!

A Alex Public Seen by 142

At the moment Diaspora does not accept CAcert as valid certificate authority and as a consequence people using CAcert-certificates (and these are many) will not be able to communicate with other pods properly.

Admins already using CAcert may not create separate startSSL-certificates (as suggested in the wiki) just because of being annoyed and run their pod with "invalid" CAcert-certificates resulting in malfunctioning synchronization with other pods. Also users of CAcert-pods are not able to use Diaspora-apps such as cubbi.es due to their unaccepted certificates.

In short I think that the growth of the Diaspora-podnet suffers from the exclusion of CAcert.

This is why I want to vote for including CAcert as-soon-as-possible as a valid CA into the Diaspora project!

ST

Sean Tilley Mon 5 Aug 2013 5:10PM

Why were they considered invalid in the first place?

MM

Mike Macgirvin Mon 5 Aug 2013 11:24PM

I would urge you to carefully consider the consequences before doing this. As we discovered on the Friendica project (where even self-signed certs are accepted), invalid certs (as determined by the browser vendor) annoy people with popup warnings when viewing pages with content from other sites such as linked images.

I work on hundreds of computers in a day, and cannot even use Friendica from a new computer without manually writing down every "invalid cert" URL and visiting each site to accept them all. You don't get a choice with images to accept the site when the warning pops up. You have to visit the site to get the option to accept it. You mom isn't going to do this. She's going to see the "this website isn't trusted" and take the browser advice to "get me out of here". The thing is, it won't be the untrusted site where the warning pops up. It will be your site, after you've paid for a cert.

Anyway - I'm an outsider on this project and you're free to do as you wish, but please weigh this decision carefully. With the Red Matrix project, we went full circle and lack of a browser valid cert (we're using the Mozilla trusted CA list) means you aren't part of the network - period. It isn't about trust and it isn't about the cert "cartel" - it's about annoying your friends and making it difficult or impossible to see their own (or your own) social stream on multiple computers without technical hassles.

JH

Jonne Haß Tue 6 Aug 2013 10:53AM

It definitely shouldn't become the recommended method, my point is to enable federation with pods on CACert certificates. I'd go so far to include an extensive explanation in the installation guide, make it the podmins decision.

A

Alex Wed 7 Aug 2013 7:07AM

@mikemacgirvin I completely agree with you that Diaspora should not allow for a “popup-catastrophe”, but only allowing one another certificate-authority should not put Diaspora users in that situation.
Besides I think it is also about the “cert-cartel” and a free community-driven project as Diaspora should not rely on some company selling certificates.

@jonnehass Yes. Maybe it should be the podmins decision, but at least it should be the default policy to accept CAcert. - In my opinion it should not even be the podmins decision and there should be no config-option to disallow CAcert. - As one of Diasporas strengths is decentralization, boundless communication between all pods is crucial and should not depend on config settings which split the pod-network into subnets!

F

Flaburgan Wed 7 Aug 2013 1:03PM

While the browsers do not recognize CaCert, it's really hard to use it...

JH

Jonne Haß Wed 7 Aug 2013 2:04PM

Well it's really only the Mozilla products since they come with their own CA bundle. All other ones use the systems bundle. Debian and all that base their CA bundle on it, like for example Arch, already include CACert. So the major ones left are Fedora/Red hat, CentOS, Windows and Ubuntu.

F

Flaburgan Wed 7 Aug 2013 2:19PM

90% of our users :p

A

Alex Wed 7 Aug 2013 3:53PM

@flaburgan But don't you think it would be reasonable for Diaspora users to once install the CACert root-certificate in their browsers if CACert is not accepted by default? - After all it's as simple as visiting one link and clicking the accept-button.

In addition one could create a wiki-entry explaining to users why Diaspora is accepting and supporting CACert and giving a link to the root-certificates. - I also hope that with more projects like Diaspora supporting CACert at some point Mozilla (and others) will give in and accept CACert as certificate authority.

F

Flaburgan Thu 8 Aug 2013 7:13AM

All firefox users + every windows and ubuntu users = 90 (95?)% of diaspora users. We can't ask each one to add a new certificate authority. And as described by @mikemacgirvin accepting all certificate is really annoying. Moreover, it's not accept once a new authority, it's accept it on all machine you use: your computer, your mobile, your professional computer, etc.

I'm sorry but we should (or the guys from CaCert should) work on polish their certificate process to be accepted by Mozilla and Microsoft, and after that, we could accept CaCert...

A

Poll Created Thu 8 Aug 2013 7:52AM

Optionally accept CACert as certificate authority Closed Thu 22 Aug 2013 11:02AM

Make Diaspora pods optionally accept CACert-signed certificates.

In this way the Diaspora network does no longer depend on commercial SSL-certificates, as would be appropriate for an open, community-driven project as Diaspora.

Concerning security CACert could even be considered more secure than for example StartSSL because private keys never leave the host of the user, while with StartSSL it is possible to have private keys being created on the StartSSL website.

Make CACert support an optional configuration-setting (not accepting by default) to come up to the objections of some users not wanting to accept CACert as certificate authority as long as they are not "generally" accepted by Microsoft and Mozilla.

  • Then once CACert is "generally" accepted we could make it the default behaviour for Diaspora pods to accept their certificates.

Results

Results Option % of points Voters
Agree 33.3% 11 ST JH EG C M MS C S N FTL TA
Abstain 27.3% 9 FS G RF H R SVB DU N A
Disagree 30.3% 10 F DM T D DU SM RS A A RB
Block 9.1% 3 TS JR BB
Undecided 0% 248 BK MS AA S CB HF BO DM GC JH RF M G AX PC PP LP T DY SH

33 of 281 people have participated (11%)

Load More