A better approach to security

[hwit AT a-domani.nl]

On 2017-06-27 07:52, Pavel Volkov wrote:
> On вторник, 27 июня 2017 г. 2:08:00 MSK John Griessen wrote:
> > I just went through all the work of generating some certs after 
> > reading
> > there was some new uptake of cacert certs by browsers.
> >
> > It does not bear out in testing with firefox or chrome by others 
> > attempting
> > to use my sites -- they get warnings to stay away.
> >
> > So I've gone back to certbot:
> > https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
> >
> > Seems the cacert method has more real identity verifying by assurers 
> > than
> > any automated self sworn affidavit done in between pushing buttons for 
> > a
> > letsencrypt.org cert, so why is it that cacert has not gotten into 
> > browsers
> > "known root certs" list?
>
> Short answer: money required for the official audit procedure ($75000
> initially and $10000 annually).
> Lets Encrypt is web-oriented, it no need to verify your identity — its
> function is to assure that secret key holder for a given certificate 
> controls
> the domain, it generates the same type of certificates (DV) as CAcert. 
> certbot
> is good-enough tool.
> CAcert's idetity verification allows you to also sign emails and code 
> :)


So, if I understand correctly, it boils down to liquidity.
Even though cacert is run by volunteers, it's results, must be audited 
by independant (and unfortunately commercial) group of auditors.

Remaining question: is cacert's goal still to achieve this status.
And if yes, how far are we from obtaining this?

Isn't it possible to obtain a grant from Google, RedHat, SuSE, Primekey?

Did you consider paid membership? Other ways of crowd-funding? Anything 
else?


Hans.