@alios no, but besides #OpenPGP there are compatible interpretations like enc that just work!
- @cacert was the better @letsencrypt but the #GAFAMs cockblocked and actuvely sabotaged that by virtue of refusing to include the #CACert Root-Certificate
#CAcert
This topic has been occupying my brain cycles for quite some time now. It's already so deep down that I spontaneously sing "I am CA" to the Village People's YMCA song :) So it's time to share with you all and get more input. (CA is Certification Authority in x.509 lingo, I'll explain it all in my blog series :) (Why didn't #cacert think about this many years ago? Damn ;)
@aral @EUCommission @nlnet call me weird but the developments of @letsencrypt vs. @cacert shows everything wrong with the way #SSL works.
We would've had a superior alternative to #LetsEncrypt if #GAFAMs weren't able or even allowed to cockblock #CACert by refusing to import it's ROOT-CA, whilst every commercial #CA gets their keys imported, no matter how shit they are or that they are essentially a hostile state actor!
@vlpatton The classic method is a key signing party. Get a bunch of people in the same room with legal photo identification and their fingerprints, and go around the room checking everyone elseâs ID. Then, go home and sign everyoneâs keys. Send the signed key to the key owner. Import signed keys and collect signatures!
Key servers sharing signatures havenât been a thing since the attacks years ago. Any modern keyserver will strip the signatures, so youâll have to distribute your key with signatures some other way (WKD, DNS, a file on your web site, etc.).
CAcert will do PGP key endorsements if you get enough assurances on their platform. Everyone with a signed key has had two forms of ID checked by two people. However, their infrastructure can only work on old-school RSA keys right now (theyâre working on modernizing).
#PGP #GnuPG #CAcert #KeySigningParty #cryptoparty #WebOfTrust
@leyrer
Ich sagte nicht, dass er tatsĂ€chlich "vertrauenswĂŒrdig" ist. Aber Faktum ist, dass es diesen und zwei weitere "Vertrauensdiensteanbieter" in Ăsterreich gibt. Und es bieten alle Drei auch S/MIME kompatible Zertifikate an.
Aber Du hast im Grunde schon recht, da geniesst bei mir #CAcert höheres Vertrauen als die drei zusammen.
FĂŒr CAs ist es mit der Entfernung des <keygen> Element aus dem HTML Standard in der Tat nicht mehr so einfach die Private Keys komfortabel im Browser des Kunden erstellen zu lassen, diese in dessen Zertifikatsverwaltung zu schieben, ... aber #CAcert hat eine technische Lösung gefunden (siehe https://blog.cacert.org/2024/02/finally-create-a-client-certificate-in-the-browser/ - auch wenn CAcert als allgemeine CA mangels Integration in den Browsern ausscheidet).
6/x
#cacert still exists?
Just got a mail notification that #CAcert relocated its association from Australia to #Switzerland, namely to #Geneva.
Wasn't aware that they're still alive and active after all the degradation due to expired and cryptographically outdated root certificates, etc.
Ich habe soeben zwei Wesen bei CaCert (re-)assured. Und dabei festgestellt das mein Engagement mit #CaCert schon 19 Jahre lÀuft. Hut ab, das es die Organisation schon so lange gibt!
20 Jahre #CAcert und immer noch ist der Nutzen sehr begrenzt.
@MichalBryxi yeah...
As much as I'm still angry at #Microsoft, #Apple and #Mozilla for blocking #CACert to this day, @letsencrypt is a net positive.
- Tho I've had to deal with more "serious business" where that wouldn't cut it. #PCIDSS demands #EV-#SSL for #PaymentProcessors and that is a process in that they actually do #KYC a company and #ID #CEO & #CFO (cuz I was in charge of updating said cert and had to wait for that to complete)...
And for the upper triple digits that cert costs per year, the process went quite fast and it took like 5 mins tops.
- Almost as if #LetsEncrypt killed the "low end" market...
@drwho Shit like this makes me hate not just #snap but @letsencrypt because that's more code than the entire backend for @cacert ...
- Seriously, there's no valid reason for #LetsEncrypt to take up more space than the
acme.sh& #CertBot scripts they made AND certainly not more than the #API for #CAcert back in it's days...
I think there needs to be more and harder pushes for #FrugalComputing because there's no valid reason they basically shove an entire #OS onto an existing one...
@DeltaWye TBH, using a #VPN.is a cheap and old #Ghettohack that had it's right to exist before #CAcert, #LetsEncrypt and at a time where #EV-#SSL certs we 4-5 digits before taxes but there are reasons this isn't compliant to #PCIDSS anymore...
@rysiek the only thing that pisses me off re: #LetsEncrypt is tuat they basically got #VC-#TechBro #FastLane in regards to acceptance whilst #CaCert got #Cockblocked by #GAFAMs all day despite doing actual #DueDiligence re: who gets a #certificate.
But better @letsencrypt than no #SSL, even tho I think #X509 is bad and ibstead we should've #OpenPGP-based #encryptioncfor everything...
Ich habe in der Vergangenheit meine Zertifikate bei #Cacert immer erstellt, in der Hoffnung, dass die es frĂŒher oder spĂ€ter es hin bekommen mit der Integration ihrer Stammzertifikate.
Leider bis heute noch nicht. :(
Welcher Anbieter ist aktuell empfehlenswert?
@wez @voltagex I purchased a code signing certificate from SignMyCode.com and itâs worked great. Though I bought it before the HSM requirements went into place, I donât automate anything with it â though itâs a tempting idea.
Thereâs always #CAcert, but theyâll probably never be globally trusted.
@ljrk @lexd0g SSL is trash because it requires value-removing middlemen aka. CAs to work and the inherent structures in IT cockblocked community-based CAs like #CACert for digital philantropy aka. @letsencrypt / #LetsEncrypt...
SSL is systemically bad and unfixable per design - period.
I don't see the added value of Passkeys over API-Keys, Login-Cookies and proper Login Managment...
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst