Personally I tend to use mailinglist as a method of collecting
information and discussion where thought and time is put into each post.
Regardless of whether the linked image was on topic or not it was _only_
linked to an external host. It was neither attached, explained nor
commented upon. Such bad practice for posting to many subscribing users
should be commented or acted upon either way.

Or in other words: it is my expectation, as a mostly passive reader,
that posts to a mailing list ought to contain more substance than just
an HTTP URL.

Especially if it's supposed to be used as a starting point (i.e. as the
intent of the original poster) it should be put into a context.
Otherwise one has no idea what to make of it. I'm not even sure a reply
was ever even desired from the original poster in this case, which would
be odd for a public mailing list.

Yes, that was my first thought after reading the comic, too. But after
reading the follow-ups to IanG's posting, I'm not sure about any meaning
of CAcert in the future.

Why? Let me point on two things:

I'm a "normal" CAcert-member, being an assurer, reading the blog and
this list etc. But I did not feel to be good informed about what
happened in CAcert... The blog is very low traffic and on this list I
could read a lot of personal fights. A lot of these mails are taken out
of context and cannot be understood from normal members which cannot
read the internal groups. We had complaints against IanG on this list
and after that there was a new board elected, at an SGM IanG was elected
as chair and an "underground"-group was founded to move CAcert from
Australia to Europe...

Wait, what...???

Everything in CAcert is very confusing since many years and I'm missing
a kind of (periodic) newsletter to all members. Please explain in simple
words what is happening in CAcert right now.

The clearest words in the last months came from Eva who asked for
getting people for the support-team.


Second, I sense that the amount of people who "live" for CAcert is
dramatically decreasing:

I'm an assurer since 2007, but mainly active at conferences. 2009 at the
Ubucon and the CCC-Congress I assured with a lot of enthusiastic and
experienced assurers, who teached me a lot about assuring and "reading"
foreign passports.

2011 for the CCC-Camp I asked on the mailinglist about something to
promote CAcert. I could get the big banner for doing a CAcert-"booth" at
the camp. I could quickly found some other assurers via Twitter and the
Camp-Wiki. We promoted some assuring-events, assured a lot of new people
and had a lot of fun.
At that time, suddenly *I* was the experienced assurer there and could
pass everything I learned at the events before to the others.
I think, this working together is the way how CAcert should work.

But: We were asked many many MANY times for the Browser-integration of
CAcert and could not answer this. And everybody who asked this on the
mailinglist, got only stupid answers in the past...

Well, in 2015, I tried to get the banner again for the CCC-Camp. Asking
on the german mailinglist I only got one snotty answer. Later on the
camp I was the only person wearing a CAcert-T-Shirt. I was very
demotivated on CAcert after the camp. Where are the people from 2011,
where was the help getting the banner, where was the spirit of CAcert?

But the 2015-camp was not a complete CAcert-desaster for me: Eva and
Bernhard noticed my T-Shirt and they try to convince me, that CAcert is
not dead. Thanks for all the talking about CAcert to both of you.

And for last on this topic, a personal statistic: In 2011 after the
camp, I reached a total of 150+ assurances. This small amount of
assurances pushed me in the Top-100 of the assurer-list. After that, I
visited only the 2015-camp and so I did only make one new assurance in
the past 5 years... But: I'm still on the SAME position on the
Top-Assurers-list... How can this happen? Are there NO people in the
community who are doing assurances any more?


Well, CAcert is a CA which is not integrated in the browsers and where
people who are asking about this were hooted down. In CAcert, the people
fight against each other on this list and from the point of a normal
member, no positive activity to advance CAcert can be mentioned.

On the other hand we have StartSSL for many years and now Let's Encrypt.
Both offering SSL-certificates without pain and with
browser-intergration. Who needs CAcert any more? When you discover that
you are riding a dead horse...


But I still have the meaning, that CAcert is a lot of better than other
CAs. After reading my negative thoughts, this will be a suprise for you.
Why? Because Let's Encrypt and all the commercial CAs will make only a
domain-based-verification. This might be OK, but CAcert will make a
personal validation. When I see a CAcert-certificate and take a look
into it, I could be sure, that this certificate belongs to THIS person.
Not a domain, a person. But as long as CAcert is not integrated, this is
only theoretically. Yes, I can install CAcert on EVERY of my devices and
can teach my neighbourhood to do so. But at least at work I have
probably an environment where I don't have he right to do this...


But on the other hand: The Certificate-system is collective dead. There
are a lot of news talking about CAs which where compromised by hackers
or generated false certificates as a fault. Why should I trust anything
of them?

The solution of this could be to return the control of certificates to
the users, so that nobody needs CAs anymore. They should gerenate the
certificates for their services on ther own and publish them via DANE.
Yes, DANE is not very common. But today there are services like Postfix
that will use the certificates from DANE/DNS for transport-encryption.
Nasty spoken, the acceptance of DANE is much higher than the acceptance
of CAcert...

Nobody needs another CA. But doing propaganda for DANE etc. could be a
good project for CAcert.

Well, good Night,

Thorsten