Certificate Authority

The entire alpha-labs.net server and all services are authorized and signed by the certificate-authority of alpha-labs.net. As this is considered “self-signed”, all clients will cause an alert about these self-signed certificates. This is true, as you have no reason to trust the certificate in question.

And unless DANE becomes standard in the main browsers there is currently no comfortable way to trust other people’s certificate authority. But if you do have a DANE aware browser, there is no need to import the certificate authority.

But if you trust the certificate-authority of alpha-labs.net you also implicitly trust all services by it. In order to trust us, you need to import our public certificate authority file, which can be obtained from

http://ca.alpha-labs.net.

The downloaded file can be verified by gpg. My public key can be obtained here and a detached GPG-Signature for the certificate-authority can be downloaded here.

The certificate authority is one of the holy cows on the server. It’s always encrypted in a gpg container using a long pass-phrase and decrypting it, thus accessing it, triggers an alarm. Although I really love automation, all issues with the ca are done by hand only.

Every certificate has a valid revocation list and a crl distribution point which announces retired/ compromised certificates. You can trust that all measures are taken to keep any alpha-labs.net signed certificates safe.

As to the “why” I am running my own certificate authority.
Consider a signed certificate from a trusted issuer, like thawte or verisign. They check if you are in control of the domain in question by sending an email to a predefined address, like hosting@alpha-labs.net. If you can respond to that email, then the validity of the address is confirmed. That’s it.
Do you trust them because you know them? Do you trust because they check the administrator/ the content thoroughly?  You trust them because your web browser insinuates you to trust it.
The point of the Internet is to decentralize pretty much everything. Consolidation means placing the power and trust in one concentrated spot. If that spot gets compromised, everything gets compromised. If that spot is under control of one company, then you are for all intends and purposes slave to that company (say google?).
Other encryption ideas like GPG take a web of trust approach.

By running my own certificate-authority I am decentralizing the web of trust from the few global players back to the content providers. And by doing so I’ll give you a choice: You can trust me that I am in control of my own server and by doing so you trust all the services I provide — or you don’t. You can even revoke the trust later on if you chose to. Try and distrust thawte. Or verisign.

The choice is yours.