1 |
On Fri, Mar 27, 2015 at 11:44 AM, Marc Schiffbauer <mschiff@g.o> wrote: |
2 |
> * Hanno Böck schrieb am 27.03.15 um 15:33 Uhr: |
3 |
>> |
4 |
>> |
5 |
>> "Certificates are too expensive" |
6 |
>> Gentoo already has certs for all pages, so this is not an argument |
7 |
>> here, but if this ever becomes an issue there are a number of CAs these |
8 |
>> days that issue free certs. In summer the community based CA Let's |
9 |
>> encrypt will start which will be another option. |
10 |
> |
11 |
> |
12 |
> Or CAs which offer a "Cert Flatrate" for a small fee per year like |
13 |
> StartSSL.com |
14 |
|
15 |
As has been pointed out, this is a moot issue for Gentoo. However, |
16 |
I'm not aware of anybody who both offers a free certificate and will |
17 |
let you change your private key if it is compromised free of charge. |
18 |
|
19 |
StartSSL in fact refuses to revoke certificates even when people |
20 |
publish their private keys publicly. If you buy a previously-used |
21 |
domain you might want to make sure that there isn't a StartSSL |
22 |
certificate floating around for it which is still valid... |
23 |
|
24 |
I don't think this has any bearing whatsoever on Gentoo, but it does |
25 |
annoy me when people say that there are free cert options out there, |
26 |
when the whole point of having a CA is security and the ones which are |
27 |
both trusted and free have some pretty horrible security practices. |
28 |
|
29 |
The current CA system is horribly broken, but not as broken as not |
30 |
using SSL, or browsers which don't make you click 5 buttons every time |
31 |
you visit a non-SSL website the way they do when you visit an SSL |
32 |
website with an untrusted certificate. :) |
33 |
|
34 |
-- |
35 |
Rich |