undefined | Better HN

0 pointsersii8y ago0 comments

That doesn't mean that things will be pleasant forever. There are plenty of shady non-profit organizations.

0 comments

5 comments · 2 top-level

anilgulecha8y ago· 2 in thread

Though the stack being FOSS means it's easy to move to a new org when this happens.

It's not that easy. I mean the code is there but the infrastructure needs to be provisioned and it takes time to gain trust in the CA world, see CACert.

tialaramex8y ago

CACert is a weird example because their model was completely at odds with how everybody else (yes now including Let's Encrypt) does things.

CACert says this is trustworthy because you have to know somebody who knows somebody who knows somebody etcetera. The profiles with a single photo of a swimsuit wearing young woman and a generic-sounding name that say they know me from school on Facebook every few weeks can tell you what happens to that idea at scale.

In contrast all the trusted public CAs (commercial or not) have a bunch of employees either directly making validation decisions according to some company policy or writing software to automatically make such decisions.

In theory maybe CACert's model really could work, but what it definitely can't do is work the same way as everybody else. So it was very hard to get anyone to give them a chance, still less after they started to have internal squabbles.

You are correct that gaining trust takes time, but what a conventional CA does (with the exception of maybe Verisign and Thawte which are _really_ old) is they first get an existing trusted CA else to sign a subCA certificate saying they trust the new CA. The ordinary "Let's Encrypt Authority X3" certificate is signed by IdenTrust (it says "DST Root CA X3" on it but the Digital Signature Trust no longer exists). There's another copy of the same certificate signed by ISRG, but that's only trusted in much newer software. Modern Firefox, current macOS or iOS, but not say, Internet Explorer 10

1 more reply

Fnoord8y ago· 1 in thread

That cannot be a reasonable dealbreaker though. If you follow that advice you can't do business with any business. Nor any NGO for that matter.

ersiiOP8y ago

I've never mentioned that to be a dealbreaker for anyone, least not for me. Just wanted to make it clear that any organizational form can be shady, not just corporations.

It's just a statement, with no emotion added to it from my side.

j / k navigate · click thread line to collapse