Discuss mailing list

[opennic AT lewman.us]

On Wed, 30 May 2012 16:59:38 -0500
Jamyn Shanley <jshanley AT gmail.com> wrote:
> I didn't say it was self-signed, I said CAcert certificates are not
> recognized by most browsers.
> It is not a good idea for a registrar to have warnings presented on
> their SSL pages by default.

I'm having a hard time with this logic. To me, by this logic it means
that you shouldn't be registering non-ICANN approved domains either.
99.99% of the dns clients out there won't understand the opennic
domains.

The commercial CA mafia is broken horribly and should not be relied
upon for authentication, only encryption between a webserver/load
balancer/network termination device and your browser. DANE and TLSA
should fix the commercial CA problems, or at least make them less
critical to a trust path. 

Also notice that Google created its own Internet Authority and
injected it into Firefox and Chrome; and now IE. Effectively, this is a
self-signed, non-CA mafia approved authority and cert chain run,
approved, and hosted by Google. A self-signed cert is just as valid as
a commercially signed CA cert. It just takes one extra hop to verify
(or force) your browser to accept it. 

-- 
Andrew
pgp 0x6B4D6475