[gentoo-dev] CA-certified SSL

[gentoo-dev] CA-certified SSL

[Dirkjan Ochtman]

Hi,

IIRC, we currently don't have CA-certified SSL certificates on Gentoo
properties because the infrastructure people who handle that kind of
stuff really dislike giving up their personal information to a
corporation like a CA. Would it be possible to break that logjam by
volunteering for the job of requesting the certificates?

I think it's really quite silly that we keep inconveniencing ourselves
and our user by not having proper certificates that get recognized by
all the major browsers, preferably wildcard variants (particularly for
Bugzilla attachments).

I'd be happy to handle the certificates and renew them every time when
needed, passing them on to infra staff via a channel they deem secure
enough, although it would be nice if someone else can provide me with
funds (e.g. the Trust/Foundation?).

Cheers,

Dirkjan

Re: [gentoo-dev] CA-certified SSL

[Rich Freeman]

On Tue, Feb 5, 2013 at 11:59 AM, Dirkjan Ochtman <djc@gentoo.org> wrote:
> I think it's really quite silly that we keep inconveniencing ourselves
> and our user by not having proper certificates that get recognized by
> all the major browsers, preferably wildcard variants (particularly for
> Bugzilla attachments).

My knee-jerk reaction is that your browser has a bug.  It thinks that
it is appropriate to sound alarms for unauthenticated SSL connections
but not for unauthenticated non-SSL connections.  A workaround is to
emerge ca-certificates.

That said, I do understand your concerns (my pet peeves with the CA
infrastructure and modern browsers notwithstanding).

>
> I'd be happy to handle the certificates and renew them every time when
> needed, passing them on to infra staff via a channel they deem secure
> enough, although it would be nice if someone else can provide me with
> funds (e.g. the Trust/Foundation?).

I'm sure the trustees would be interested as long as this was aligned
with infra.  I'd reach out to them first and work out a plan - paying
for it is likely to not be a big issue (and we've had offers of
donated certificates as well).

Rich

Re: [gentoo-dev] CA-certified SSL

[Dirkjan Ochtman]

On Tue, Feb 5, 2013 at 7:06 PM, Rich Freeman <rich0@gentoo.org> wrote:
> My knee-jerk reaction is that your browser has a bug.  It thinks that
> it is appropriate to sound alarms for unauthenticated SSL connections
> but not for unauthenticated non-SSL connections.  A workaround is to
> emerge ca-certificates.
>
> That said, I do understand your concerns (my pet peeves with the CA
> infrastructure and modern browsers notwithstanding).

I understand your concerns as well, but I think practicality should
win over purity here.

> I'm sure the trustees would be interested as long as this was aligned
> with infra.  I'd reach out to them first and work out a plan - paying
> for it is likely to not be a big issue (and we've had offers of
> donated certificates as well).

I'm sure some infra people read this list, but I'll CC them here just
to be sure.

Cheers,

Dirkjan

Re: [gentoo-dev] CA-certified SSL

[Alec Warner]

On Tue, Feb 5, 2013 at 10:06 AM, Rich Freeman <rich0@gentoo.org> wrote:
> On Tue, Feb 5, 2013 at 11:59 AM, Dirkjan Ochtman <djc@gentoo.org> wrote:
>> I think it's really quite silly that we keep inconveniencing ourselves
>> and our user by not having proper certificates that get recognized by
>> all the major browsers, preferably wildcard variants (particularly for
>> Bugzilla attachments).
>
> My knee-jerk reaction is that your browser has a bug.  It thinks that
> it is appropriate to sound alarms for unauthenticated SSL connections
> but not for unauthenticated non-SSL connections.  A workaround is to
> emerge ca-certificates.
>
> That said, I do understand your concerns (my pet peeves with the CA
> infrastructure and modern browsers notwithstanding).

Doesn't work on my non-gentoo OS..Perhaps we should provide debs and rpms? :)

>
>>
>> I'd be happy to handle the certificates and renew them every time when
>> needed, passing them on to infra staff via a channel they deem secure
>> enough, although it would be nice if someone else can provide me with
>> funds (e.g. the Trust/Foundation?).
>
> I'm sure the trustees would be interested as long as this was aligned
> with infra.  I'd reach out to them first and work out a plan - paying
> for it is likely to not be a big issue (and we've had offers of
> donated certificates as well).
>
> Rich
>

Re: [gentoo-dev] CA-certified SSL

[Rich Freeman]

On Tue, Feb 5, 2013 at 1:48 PM, Alec Warner <antarus@gentoo.org> wrote:
> Doesn't work on my non-gentoo OS..Perhaps we should provide debs and rpms? :)

That sounds like a separate bug.  We provide handbooks for that one.  :)

Rich

(And yes, as I noted in my original post I realize that certs from a
"real" CA would benefit some.  As long as it is coordinated through
infra and the cost is reasonable I would be supportive as a trustee.
My posts tend to be more idealistic than my votes.)