If I may be permitted to make a few observations 1) I am not related to MF or CACert. I am a programmer/computer consultant and provide email services and webhosting to some of my clients. These are very small sites not big buck companies, not one of them can justify paying the prices verisign charges. 2) I think the CACert concept is excellent. I have long balked at the hiway robbery of the Verisign$ monopoly. 3) This bug/request was entered/opened in August of 2003. It is now Jan 30, 2005!! For crying out loud... how about a little bit less heel dragging?!?... Just how the heck long does it take to make a decision anyway...?? See Especially this link. http://www.heretical.com/miscella/parkinsl.html It makes me wonder how the absolutely superlative FireFox ever managed to happen to begin with, if this is typical of your decision making process... 4) I am strongly disinclined to install and configure a bunch of stuff just so that I can access your news forum. Is it really too much trouble to use a web based forum like the majority of people do these days? Am I the only person who has made the observation that usenet type news services appear to be fading into obscurity? Web forums are the new paridigm. 5) People keep harping on the idea of shipping a disabled certificate as a so called "solution". At the risk of being insulting, may I point out that this is an absurd and ill conceived notion showing a major lack of conceptual insight into the actual goal... (that's the toned down version). Now look, what is the goal? Te goal is that people can go to a site which uses a CACert; and without any fuss or bother they can access that site using SSL. Now, what happens when you go to a site for which there is no trusted certificate installed? Well, you get a dialog that pops up and warns you that there is no valid certificate and asks if you would like to install it. The dialog itself looks kind of ominous and intimidating. So the very justifiable concern is that users won't want to accept the certificate and won't be able to access the site, and may very probably turn into a support contact phone/email which then requires manpower to deal with; or else they just leave, never to be seen again. Now, what happens when you go to a site for which you have a disabled certificate installed???? Well, gee whiz... the very same dialog, or a close cousin pops up and ominously intimidates the user by warning them that there may be a certificate available for this site but it's been disabled because MF doesn't trust it enough to be willing to install it properly.... And it asks the user the very similar question of whether or not to activate it. Now the whole goal of all of this, is so that the end user does not have to get all freaked out by all these strange pop up warnings. I think that most of the people reading this bugzillia have a good appreciation for the discomfort level of the typical novice computer user. And then there is the fact that to implement this "installed but disabled" thang, you will have to write quite a but of extra code, and add still more functionality that few people will know how to use. And the net effect is that the user must go through just as much effort, if not more. And the overall complexity of the software increases, with no net benefit. 6) So the question is.... Shall big buck unscrupulous corporate monopolies (Verisign) be allowed to control and dominate the security of the internet. Or shall we embrace a viable and open alternative? 7) Now I can certainly appreciate the very legitimate concern that you do not want to open the floodgates to an anything goes environment. But as has been ably pointed out elsewhere in this discussion, it is also not fair to hold newcomers to a higher standard of entry then what the established companies have had to meet. And it is not fair to impose financially burdensome procedures onto applicants. The financial burden does nothing to ensure the integerity of the applicant, all it does is to raise the bar so high as to ensure the continuation of the monopoly. And that only companies with deep pockets and strong profit motives shall ever succeed in getting approved. If that was the kind of world you wanted to live in, then you would have never written the superb FireFox. By all appearances the CACert endeavour is a legitimate and very worthwhile solution. It saddens me to see how much foot dragging has occurred. Surely in the year and a half that this bug has been active, people could have reached level of agreement? A great opportunity was lost when the CACert failed to ship with the 1.0 release. Perhaps it can be added to the auto-updater? Well, that's my 3 cents worth. It's not my intention to be insulting, but as an outsider giving an objective view of this situation, I feel a lot of frustration with the way in which it was handled. And I believe that Duane is deserving of a lot of credit for his restraint and enduring patient persistance. This alone speaks quite well of his endeavour. And if you think that the little tiff, that occurred with their board meeting is a basis for disqualifying them. Then allow me to ask what is you basis of comparision? What is your frame of reference? Have you ever been privy to the board meeting of Verisign? Why do you think that they are free of polotical maneuvering and clashes of opinion? Most assuredly they are not. You want transparency? Verisign won't even tell you what they are up to; but for better or worse CACert has the courage to show you every wart. Again, I say, it is not my intention to be insulting. MF has made a fantastic contribution to the world, and people have worked very hard to do it. But it is my hope that this somewhat acerbic commentary will light a F I R E and get this thang moving forward. It's long overdue... Ciao, -- Erik