Policy-Discussion

["Peter Williams " <home_pw AT msn.com>]

I've been learning some back history about cacert, mozilla audits and the 
like.

One detractor (evidently involved in cacert prehistory) is calling for openid 
to remove cacerts root, inherited from the modern debian roots package). 
While this is an entirely proper thing to do (since openid calls https as a 
server thread, not as a browser) as webapps ought to have their own criteria 
on which cas are suitable for unusual/custom uses of https  (eg openid 
discovery protocol) , picking on cacert as uniquely inappropriate seems a 
little over the top. I suspect there are some personal emotions going on.

Id recomment cacert plead it own case to openid types. They are stuggling 
with the wider issues concerning roots inclusion/exclusion and perhaps (once 
well informed) folks can help them understand the barriers challenges and 
opportunities that cacert faces.

general AT opeid.net.


The topic is even related to enum, since openid uses xri names, which neustar 
also uses to help search out e164 mappings in h323/h245 call agent 
signalling/negotiations/admissioncontrol  in the voip world - supporting 
secure rtp and secure rctp. 

-----Original Message-----
From: Pete Stephenson 
<pete AT heypete.com>
Sent: Monday, December 22, 2008 7:17 AM
To: 
cacert-policy AT lists.cacert.org
Subject: Re: [CAcert-Policy] Reminder - SSL Certificate for *.blahblah.org 
expires in 10 Days

Ian G (Audit) wrote:
 > Does anyone have a view as to how to deal with this, if it were directed
 > against CAcert?  Just curious -- is this a threat or an opportunity?
 >
 > iang
 >
 >
 >
 > -------- Original Message --------
 > Subject:       Reminder - SSL Certificate for *.startcom.org expires in 10 
 > Days
 > Date:  Sun, 21 Dec 2008 23:59:39 GMT
 > From:  Certstar 
 > <support AT certstar.com>
 > Reply-To:      
 > support AT certstar.com
 > To:    
 > webmaster AT startcom.org
 >
 >
 >
 > Dear Webmaster,
 >
 > *** Expire Notice for SSL Certificate issued to *.startcom.org ***
 >
 > Your SSL certificate will expire in 10 Days! It is important that you
 > purchase a new certificate to ensure that the security of your website
 > or application is maintained. If you are not the webmaster please
 > forward this message to the appropriate person in your organization.
 >
 > Current Certificate:
 >    Cert Type.: Standard SSL (or similar)
 >    Valid from: 2008-01-01
 >    Expires...: 2008-12-31
 >    Hostname..: *.startcom.org
 >
 > Renew with Certstar: http://www.certstar.com/renew/startcom.org/
 > One to five year terms available starting at just $29 per year.
 >
 > This email is sent as courtesy reminding you to replace your SSL
 > certificate before it expires and does not indicate customer
 > relationship. Replacing/renewal services for certificates are offered by
 > a multiple providers we do however you will trust Certstar for your
 > certificate needs.
 >
 > If you require support or would like to discuss your options with a
 > sales representative, please use the contact details below.

 This reminds me of those seedy letters sent out by domain registrars
 offering to renew one's domain for some horribly inflated price.

 The fact that Certstar has a cert from Equifax (rather than themselves)
 and uses poor grammar in their spammy message doesn't bode well either.

 I would hope that CAcert members would recognize it as such, and ignore
 it. If it gets to be a problem, maybe it'd make sense to put a small
 notice on the CAcert site until it dies down for a bit?

 I like to think (and perhaps I'm wrong) that people involved with
 SSL-related issues tend to be administrators, and thus reasonably
 intelligent people who can identify such emails as being seedy.

 --
 Pete Stephenson
 HeyPete.com