1 |
On Thu, Sep 27, 2007 at 06:47:36PM -0400, Caleb Tennis wrote: |
2 |
> Is there a reason that my Godaddy suggestion in the bug isn't being considered? |
3 |
> Regardless of what you may think of them as a company, they offer the same free type |
4 |
> of certificate to open source projects just like cacert, and with what looks to be |
5 |
> considerable less overhead. I understand that cacert is more "open sourcy" than |
6 |
> godaddy, but if they're as much of a roadblock as the Trustees are in this case, |
7 |
> maybe going that route would enable us to move forward? |
8 |
See my comment #14, regarding regenerating the certs [1] each time the set |
9 |
of SSL vhosts on a box changes. For mail services, this isn't really an |
10 |
issue, but for web services it's a big one. Wildcards only work in |
11 |
Mozilla, and nowhere else [2]. |
12 |
|
13 |
[1] http://wiki.cacert.org/wiki/VhostTaskForce#head-7236c4e2c9932ef42056b3ff6d367053081887de |
14 |
[2] http://wiki.cacert.org/wiki/WildcardCertificates |
15 |
|
16 |
> > I don't agree that it's a big improvement. If you read the bug above, |
17 |
> > you'll note that we did at one stage have a 'Gentoo CA' that Infra ran |
18 |
> > for generating certs. |
19 |
> It is a big improvement. Not in security, but in perception. |
20 |
Ok, let's narrow this down for a moment. |
21 |
Of the SSL-using services that Gentoo has, which do we care about for |
22 |
users (NOT developers)? |
23 |
bugs.g.o and forums.g.o are the main two that I'm aware of. |
24 |
Are there any others that get high traffic of security-clueless users? |
25 |
|
26 |
If there aren't too many AND we can get a dedicated IP for each of those |
27 |
services, I'd like to suggest the following, as an easily doable and |
28 |
low-overhead (in terms of Trustees/paperwork) solution: |
29 |
|
30 |
1. On the services identified, get extra IPs, and use the free GoDaddy certs. |
31 |
2. On other services use the Gentoo-CA approach. |
32 |
|
33 |
-- |
34 |
Robin Hugh Johnson |
35 |
Gentoo Linux Developer & Infra Guy |
36 |
E-Mail : robbat2@g.o |
37 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |