Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] SSL-Certificates and CAcert
Date: Fri, 28 Sep 2007 00:22:05
Message-Id: 20070928001048.GD1606@curie-int.orbis-terrarum.net
In Reply to: Re: [gentoo-dev] SSL-Certificates and CAcert by Caleb Tennis
1 On Thu, Sep 27, 2007 at 06:47:36PM -0400, Caleb Tennis wrote:
2 > Is there a reason that my Godaddy suggestion in the bug isn't being considered?
3 > Regardless of what you may think of them as a company, they offer the same free type
4 > of certificate to open source projects just like cacert, and with what looks to be
5 > considerable less overhead. I understand that cacert is more "open sourcy" than
6 > godaddy, but if they're as much of a roadblock as the Trustees are in this case,
7 > maybe going that route would enable us to move forward?
8 See my comment #14, regarding regenerating the certs [1] each time the set
9 of SSL vhosts on a box changes. For mail services, this isn't really an
10 issue, but for web services it's a big one. Wildcards only work in
11 Mozilla, and nowhere else [2].
12
13 [1] http://wiki.cacert.org/wiki/VhostTaskForce#head-7236c4e2c9932ef42056b3ff6d367053081887de
14 [2] http://wiki.cacert.org/wiki/WildcardCertificates
15
16 > > I don't agree that it's a big improvement. If you read the bug above,
17 > > you'll note that we did at one stage have a 'Gentoo CA' that Infra ran
18 > > for generating certs.
19 > It is a big improvement. Not in security, but in perception.
20 Ok, let's narrow this down for a moment.
21 Of the SSL-using services that Gentoo has, which do we care about for
22 users (NOT developers)?
23 bugs.g.o and forums.g.o are the main two that I'm aware of.
24 Are there any others that get high traffic of security-clueless users?
25
26 If there aren't too many AND we can get a dedicated IP for each of those
27 services, I'd like to suggest the following, as an easily doable and
28 low-overhead (in terms of Trustees/paperwork) solution:
29
30 1. On the services identified, get extra IPs, and use the free GoDaddy certs.
31 2. On other services use the Gentoo-CA approach.
32
33 --
34 Robin Hugh Johnson
35 Gentoo Linux Developer & Infra Guy
36 E-Mail : robbat2@g.o
37 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

Replies

Subject Author
[gentoo-dev] Re: SSL-Certificates and CAcert Duncan <1i5t5.duncan@×××.net>
Re: [gentoo-dev] SSL-Certificates and CAcert Mike Williams <mike@××××××××.uk>
Report Message
Find on MARC Find on Google Groups