Skip to Content.
Sympa Menu

cacert-de - Re: A new (?) take on CAcert & debian

Subject: Deutschsprachige CAcert Support Liste

List archive

Re: A new (?) take on CAcert & debian


Chronological Thread 
  • From: Benedikt Heintel <benedikt AT heintel.org>
  • To: cacert-de AT lists.cacert.org
  • Subject: Re: A new (?) take on CAcert & debian
  • Date: Mon, 24 Mar 2014 21:36:02 +0100

Dear Nick,

Your assumption is right, certificate do not need to be free of charge. However, CAcert has a mission to provide privacy to everyone. This means actually for nothing.

What a audit cost? That depends on the audit. I would assume around 50.000 $ for the initial audit, however money is not everything we need. We would fail the audit at the moment, means we need to prepare for the audit first. We audit ourselves internally to find out how far we are and where we still need to improve.

Help is very welcome and donations, too.

Best Regards

Benedikt
CAcert internal Auditor

Am 2014-03-24 18:30, schrieb Nick Jacobs:

I think the community may have unreasonable expectations of CAcert.
Why do CAcert certificates have to be free of charge? Free as in freedom does not necessarily entail freedom from cost. It costs a lot of resources to complete a proper audit of a certifying authority.
People will work at software development without payment because software development is fun. Going through the tedious, but essential, procedure to complete an audit is not fun. If we want it done, properly, we're going to have to pay for it.
 
I'd have no problem paying a modest amount for a CAcert certificate. Presumably, the operation could be run on a not-for-profit basis and so the certificates would cost much less than the ~ $1,000/year charged by companies like Symantec.
 
This is just a thought - not a proposal. I don't know what it would take to get CAcert properly audited, beyond the obvious fact that it will take more resources than CAcert will be able to apply in the foreseeable future. Maybe somebody who fully understands the whole process can comment?
 
I have also seen (somewhere) the rumour that to get Microsoft to recognise a CA for MSIE requires a $50,000 payment to Microsoft. Since MSIE has a shrinking market share, I don't see the need to pay that. I assume that Mozilla and Google just want to see evidence of an audit. But again, maybe someone who knows the facts can comment.
 
Nick



Archive powered by MHonArc 2.6.18.

Top of Page