On Mon, 31 Mar 2003, Jason Richey wrote:
So, if the masses finally decide that we "need" SSL, who's paying for the security certificate? Or would we have to plan to run without a properly signed cert?
I have no problem with a self-signed cert; the idea is mainly to keep cleartext passwords off the public internet, not to verify that some megacorp has a physical address to track Wikipedia down if we steal someone's money without sending them their purchase.
If people want something that's been rubber stamped by a large corporation hundreds or thousands of miles away which probably won't actually bother to verify that we are who we say we are, they'll have to pony up the cash.
We haven't paid RSA or VeriSign a bajillion dollars to verify our SSH server key, either, but I feel a lot better using ssh to login and give the databases a stir than I would using telnet.
Of course, the certifiacte would have to be "owned" by someone. Who's name is going to be on the certificate? Bomis'? That wouldn't make sense, since we'd have to get a new one when the non-profit is set up.
So Jimbo, how's the non-profit coming along? :)
-- brion vibber (brion @ pobox.com)