Delete me

Wolfgang Spraul wolfgang at openmoko.org
Sat Jul 11 12:50:53 CEST 2009 

Robin,

> there's been discussion over this before, several people have
> pointed out it's a shoddy way to do things. apparently openmoko sign
> their own certificates (i think), so it's not recognised as coming
> from a certificate authority.


It's a long story, but definitely not a 'shoddy way'.
A long time ago, we decided to use the community-driven certificate 
authority CAcert.org
Please read more about it at http://en.wikipedia.org/wiki/Cacert

This noble cause unfortunately brought some practical problems with it - 
very few browsers natively acknowledge the CAcert root certificate, 
until today.
Why couldn't we just have paid the 30 USD or whatever it takes to get 
'regular' SSL certificate from cheap shops such as GoDaddy etc? Of 
course we could, but we had made so many choices against convenience and 
in favor of doing 'the right thing', that adding this one more seemed 
natural to the people that were doing the work back then.

Fast forward to today, please understand that pretty much everybody in 
the Openmoko community is now a volunteer. So even though the CAcert 
idea might have been a noble cause, today the complications it brings 
are aggravated by certificates that have expired, etc.
Maybe we can improve the certificates one day, maybe enable 
personalization for the mailing lists so that one-click unsubscribe 
footers are possible, etc.
The people that are maintaining the servers in their free time deserve 
our support.

Cheers everybody!
Wolfgang

Robin Paulson wrote:
> 2009/7/11 Andreas Jonasson <andreas-jonasson at telia.com>:
>   
>> I actually did click that link before I sent my initial email to you but got
>> an error message saying that there is a problem with the security
>> certificate of this site. It is recommended that I do not proceed to visit
>> this site. I don't understand the risk with ignoring such messages. Sorry
>> for the trouble.
>>     
>
> yeah, there's been discussion over this before, several people have
> pointed out it's a shoddy way to do things. apparently openmoko sign
> their own certificates (i think), so it's not recognised as coming
> from a certificate authority. there's three things you can do:
>
> 1. change the 'https' at the start of the address to 'http'
> 2. manually accept the certificate
> 3. tell openmoko this is a bad way to do things, and to either get
> certificates which aren't signed by them, or not use an https address
> for something as trivial as unsubscribing from an email list. it
> scares and confuses people to 'Add Security Exceptions'
>
> _______________________________________________
> support mailing list
> support at lists.openmoko.org
> https://lists.openmoko.org/mailman/listinfo/support
>

More information about the support mailing list