On Mon, 31 Mar 2003, Jason Richey wrote:
So, if the masses finally decide that we
"need" SSL, who's paying for
the security certificate? Or would we have to plan to run without a
properly signed cert?
I have no problem with a self-signed cert; the idea is mainly to keep
cleartext passwords off the public internet, not to verify that some
megacorp has a physical address to track Wikipedia down if we steal
someone's money without sending them their purchase.
If people want something that's been rubber stamped by a large corporation
hundreds or thousands of miles away which probably won't actually bother
to verify that we are who we say we are, they'll have to pony up the
We haven't paid RSA or VeriSign a bajillion dollars to verify our SSH
server key, either, but I feel a lot better using ssh to login and give
the databases a stir than I would using telnet.
Of course, the certifiacte would have to be
"owned" by someone. Who's
name is going to be on the certificate? Bomis'? That wouldn't make
sense, since we'd have to get a new one when the non-profit is set up.
So Jimbo, how's the non-profit coming along? :)
-- brion vibber (brion @ pobox.com