Off to San Diego tommorrow for TPC/OSCON. I've not flown with British Airways since 1995 when after two flights with dismal customer service I vowed never to fly with them again. However, London to San Diego was cheapest with BA and I didn't fancy paying the price difference. Also they might be better now, they've got the seat back TV screens. I now know two BA pilots too, but neither is flying the outward or return flights :(
Well I can't leave until I pack, and I can't pack until I've finished work, and that means writing Apache Week. People have been asking about the OpenSSL exploit, so I need to write that up, together with a company that is giving out free server certificates.
My entire trust model for SSL is based on that fact that anyone who can issue a server certificate "does the right thing". That means they check who I am and that I have the right to use the name I've asked them to certify. Otherwise someone else could register my name, or something similar to it, and theres no point having SSL do authentication anymore. How can a company giving out free certificates afford to do any checking? But then I've heard of Verisign and Thawte making serious mistakes issuing certificates, so I probably had a false sense of security anyway.