Discuss mailing list

[<rouben AT rouben.net>]

Hi,

A couple of thoughts:

0. Browser extension is a brilliant idea, but SSL/TLS is an issue.
1. Avoiding or disabling SSL is a dead end, and generally a terrible idea,
IMO. What's the point of watering down security and privacy? We should be
advocating for both!
2. I strongly recommend going for a LetsEncrypt type CA - automated,
preferaboy just implementing the ACME protocol.

Aside from server-based TLS certs (WEB, SMTP, VPN, etc), you have 2 more
common ones: S/MIME (email). Even if ACME protocol doesn't support S/MIME now,
it's not a big issue, since OpenNIC domains are hard to implement email
with... that is, if you want non-OpenNIC email service providers to send you
mail... and if you dual-home your email service with a regular (non-OpenNIC)
domain, well then you might as well get an S/MIME cert for your email for the
non-OpenNIC domain, so that the rest of the world can communicate with you
effortlessly.

Bottom line is, traditional CAs are clunky, and aside from the DogTag CA
codebase, and perhaps the CACert codebase (which is also available for
download and is open source), there don't seem to be any viable projects,
certainly not as active as Let's Encrypt's (i.e. ACME protocol
implementation).

IMHO, ACME is the way to go...

Rouben