[tor-relays] OT :Self-signed SSL certs - was - Re: Watching the attacks on my relay

Roman Mamedov rm at romanrm.net
Sat Nov 9 15:30:13 UTC 2013

On Sat, 9 Nov 2013 12:50:18 +0000
mick <mbm at rlogin.net> wrote:

> I don't see any problem per se with a self-signed certificate on a site
> which does not purport to protect anything sensitive (such as financial
> transactions). The problem with this particular certificate is that
> the common name identifier is both wrong (www) and badly formattted
> (http://) But both of those errors can be corrected very quickly.
> Why pay a CA if you don't trust the CA model?

If your primary objection is the need to pay for certificates (and not e.g. the
possibility of CA itself being backdoored etc), then I'd suggest considering
CACert[1]. It provides free wildcard certificates which are already trusted
out of the box by some[2] FOSS operating systems such as Debian.

I'd say it is better than trusting individual self-signed certs, and somewhat
better than using your own root CA cert, since it saves the effort required to
install your own CA on all machines you need to use it on.

[1] http://www.cacert.org/
[2] http://wiki.cacert.org/InclusionStatus

With respect,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20131109/eeedf9df/attachment.sig>

More information about the tor-relays mailing list