| 1 |
On Fri, Mar 27, 2015 at 11:44 AM, Marc Schiffbauer <mschiff@g.o> wrote: |
| 2 |
> * Hanno Böck schrieb am 27.03.15 um 15:33 Uhr: |
| 3 |
>> |
| 4 |
>> |
| 5 |
>> "Certificates are too expensive" |
| 6 |
>> Gentoo already has certs for all pages, so this is not an argument |
| 7 |
>> here, but if this ever becomes an issue there are a number of CAs these |
| 8 |
>> days that issue free certs. In summer the community based CA Let's |
| 9 |
>> encrypt will start which will be another option. |
| 10 |
> |
| 11 |
> |
| 12 |
> Or CAs which offer a "Cert Flatrate" for a small fee per year like |
| 13 |
> StartSSL.com |
| 14 |
|
| 15 |
As has been pointed out, this is a moot issue for Gentoo. However, |
| 16 |
I'm not aware of anybody who both offers a free certificate and will |
| 17 |
let you change your private key if it is compromised free of charge. |
| 18 |
|
| 19 |
StartSSL in fact refuses to revoke certificates even when people |
| 20 |
publish their private keys publicly. If you buy a previously-used |
| 21 |
domain you might want to make sure that there isn't a StartSSL |
| 22 |
certificate floating around for it which is still valid... |
| 23 |
|
| 24 |
I don't think this has any bearing whatsoever on Gentoo, but it does |
| 25 |
annoy me when people say that there are free cert options out there, |
| 26 |
when the whole point of having a CA is security and the ones which are |
| 27 |
both trusted and free have some pretty horrible security practices. |
| 28 |
|
| 29 |
The current CA system is horribly broken, but not as broken as not |
| 30 |
using SSL, or browsers which don't make you click 5 buttons every time |
| 31 |
you visit a non-SSL website the way they do when you visit an SSL |
| 32 |
website with an untrusted certificate. :) |
| 33 |
|
| 34 |
-- |
| 35 |
Rich |
Archives