On Mon, Mar 31, 2003 at 01:37:35PM -0800, Jason Richey wrote:
So, if the masses finally decide that we "need" SSL, who's paying for the security certificate? Or would we have to plan to run without a properly signed cert?
Of course, the certifiacte would have to be "owned" by someone. Who's name is going to be on the certificate? Bomis'? That wouldn't make sense, since we'd have to get a new one when the non-profit is set up.
Whether SSL is a good idea in this situation isn't the issue. Setting it up properly involves getting some other things done first. IMHO, Moving forward on SSL at this point would be slightly premature.
Passive attacks are very easy and very common, active attacks are much more difficult and a couple orders of magnitude more rare.
We don't really need to care about someone signing our certs. We have much bigger security holes anyway ;)