Discuss mailing list

[Jamyn Shanley <jshanley AT gmail.com>]

On Wed, May 30, 2012 at 6:19 PM,  <opennic AT lewman.us> wrote:
> On Wed, 30 May 2012 16:59:38 -0500
> Jamyn Shanley <jshanley AT gmail.com> wrote:
>> I didn't say it was self-signed, I said CAcert certificates are not
>> recognized by most browsers.
>> It is not a good idea for a registrar to have warnings presented on
>> their SSL pages by default.
>
> I'm having a hard time with this logic. To me, by this logic it means
> that you shouldn't be registering non-ICANN approved domains either.
> 99.99% of the dns clients out there won't understand the opennic
> domains.
>
> The commercial CA mafia is broken horribly and should not be relied
> upon for authentication, only encryption between a webserver/load
> balancer/network termination device and your browser. DANE and TLSA
> should fix the commercial CA problems, or at least make them less
> critical to a trust path.
>
> Also notice that Google created its own Internet Authority and
> injected it into Firefox and Chrome; and now IE. Effectively, this is a
> self-signed, non-CA mafia approved authority and cert chain run,
> approved, and hosted by Google. A self-signed cert is just as valid as
> a commercially signed CA cert. It just takes one extra hop to verify
> (or force) your browser to accept it.

I guess it depends on what OpenNIC goals are. If there is any interest
in actual adoption and use outside a very very tiny group of people,
services should work for the typical user. Not just people running
linux, not just people who have technical understanding of what's
going on. No, they should work for almost everyone.

If there's no interest in ever getting things to work well for the
common user, then of course it doesn't matter that the registrar site
doesn't work for the typical person. Anyone with some technical
understanding of the issue will fix it themselves. But that's all the
userbase you're going to get unless you create a system that works
well for everyone.

Improvements are made one step at a time. SSL certificates are just
one of many potential problems with OpenNIC. If all people want to do
is to get it working sort of well enough for a few geeks to
occasionally use in a somewhat reliable manner, then that's great and
I guess I seriously misunderstood the project goals.