Discuss mailing list

[Alex Hanselka <alex AT opennicproject.org>]

I'd just like to mention that you can't get a commercial cert for an
opennic DNS. IF you find a place, let me know.

On 5/30/2012 6:27 PM, Jamyn Shanley wrote:
> On Wed, May 30, 2012 at 6:19 PM,  <opennic AT lewman.us> wrote:
>> On Wed, 30 May 2012 16:59:38 -0500
>> Jamyn Shanley <jshanley AT gmail.com> wrote:
>>> I didn't say it was self-signed, I said CAcert certificates are not
>>> recognized by most browsers.
>>> It is not a good idea for a registrar to have warnings presented on
>>> their SSL pages by default.
>> I'm having a hard time with this logic. To me, by this logic it means
>> that you shouldn't be registering non-ICANN approved domains either.
>> 99.99% of the dns clients out there won't understand the opennic
>> domains.
>>
>> The commercial CA mafia is broken horribly and should not be relied
>> upon for authentication, only encryption between a webserver/load
>> balancer/network termination device and your browser. DANE and TLSA
>> should fix the commercial CA problems, or at least make them less
>> critical to a trust path.
>>
>> Also notice that Google created its own Internet Authority and
>> injected it into Firefox and Chrome; and now IE. Effectively, this is a
>> self-signed, non-CA mafia approved authority and cert chain run,
>> approved, and hosted by Google. A self-signed cert is just as valid as
>> a commercially signed CA cert. It just takes one extra hop to verify
>> (or force) your browser to accept it.
> I guess it depends on what OpenNIC goals are. If there is any interest
> in actual adoption and use outside a very very tiny group of people,
> services should work for the typical user. Not just people running
> linux, not just people who have technical understanding of what's
> going on. No, they should work for almost everyone.
>
> If there's no interest in ever getting things to work well for the
> common user, then of course it doesn't matter that the registrar site
> doesn't work for the typical person. Anyone with some technical
> understanding of the issue will fix it themselves. But that's all the
> userbase you're going to get unless you create a system that works
> well for everyone.
>
> Improvements are made one step at a time. SSL certificates are just
> one of many potential problems with OpenNIC. If all people want to do
> is to get it working sort of well enough for a few geeks to
> occasionally use in a somewhat reliable manner, then that's great and
> I guess I seriously misunderstood the project goals.
>
>
> --------
> You are a member of the OpenNIC Discuss list. 
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org