[Members] PayPal links

Peter Saint-Andre stpeter at stpeter.im
Wed May 20 10:10:58 CDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5/20/09 8:46 AM, Jonathan Schleifer wrote:
> Am 19.05.2009 um 23:43 schrieb Peter Saint-Andre:
> 
>> Currently it is not free for us to generate certificates via StartCom
>> (and I don't think it ever would be free)
> 
> I wonder if this is a good idea for the foundation of a free,
> decentralized protocol to support a single, specific company (which is
> all but embracing being decentralized). I think if we really spend money
> for certs, we should try to be decentralized there as well and have
> agreements with other companies as well.

Feel free to recommend other CAs that would enable us to be an
Intermediate CA at a reasonable cost. When I did this research several
years ago, there were no such options.

No one is forcing anyone to use a cert issued by the XMPP ICA. We are
simply making it easier for XMPP server admins to obtain a CA-issued
certificate at a reasonable cost (free). In my experience, the vast,
vast majority of server operators really appreciate this service. A few
people don't, but they are free to buy a cert from VeriSign/Equifax/etc.
or to use CAcert.

>> so it seems appropriate to
>> ask for a donation when someone receives a certificate that otherwise
>> might cost them hundreds of dollars a year. :)
> 
> Well, the cert you get is not really comparable to the certs they sell
> :/. If you want to use your XMPP StartCom Cert for example for your
> website as well, you will get a warning in every browser, as they use a
> different Root CA for that. 

The certs issued by the XMPP ICA are for XMPP services, not HTTP
services. That's why it's called the XMPP ICA.

> So it's as useful as using some other
> service that's free, but not listed in the Root CAs of the 4 big
> browsers. 

The StartCom root is included in Mozilla, OS X, various Linux distros,
etc. StartCom is also working hard on inclusion into Windows.

> This is the reason why I went back to CACert after trying the
> XMPP StartCom Cert, since the CACert Root CA will most likely be
> included in the next Firefox version while the XMPP StartCom Root CA
> most likely never will. Or did they change the Root CA for the XMPP
> Certs now?

There are two different StartCom roots, the old one and the new one. We
need to transition the XMPP ICA to use the new one. I am not sure which
root cert is supported in Mozilla, but I thought it was the old one (the
Mozilla folks will need to do the same upgrade we're doing). I can check
on this.

BTW I thought you didn't care about SSL/TLS anyway, so what's the fuss?

Peter

- --
Peter Saint-Andre
https://stpeter.im/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoUHYIACgkQNL8k5A2w/vyvxQCdFmU6s/5h4k03L95GLTfRY/Nb
+mgAnR/mA7RXOczFWNiZdhfnkjwlagNk
=CyeJ
-----END PGP SIGNATURE-----


More information about the Members mailing list