| 1 |
On Fri, Mar 27, 2015 at 04:44:16PM +0100, Marc Schiffbauer wrote: |
| 2 |
> >"Certificates are too expensive" |
| 3 |
> >Gentoo already has certs for all pages, so this is not an argument |
| 4 |
> >here, but if this ever becomes an issue there are a number of CAs these |
| 5 |
> >days that issue free certs. In summer the community based CA Let's |
| 6 |
> >encrypt will start which will be another option. |
| 7 |
> Or CAs which offer a "Cert Flatrate" for a small fee per year like |
| 8 |
> StartSSL.com |
| 9 |
Please don't promote StartSSL with their excessive demands for personal |
| 10 |
information: |
| 11 |
https://www.startssl.com/?app=34 |
| 12 |
Passport AND (Drivers License or National ID) |
| 13 |
|
| 14 |
To be able to issue certs from them, EACH person in an organization |
| 15 |
needs to comply with that "Identity Validation", and the organization |
| 16 |
validation is on top of that: |
| 17 |
https://www.startssl.com/?app=35 |
| 18 |
|
| 19 |
How many people here would willingly send this level of detail to |
| 20 |
somebody in a foreign country? Does your home country not have strict |
| 21 |
regulations about who can keep a copy of this information (retaining |
| 22 |
this information is mostly prohibited by my local laws). |
| 23 |
|
| 24 |
We're with DigiCert instead, where only the organization was verified. |
| 25 |
They also have a good API for generating certificates, which was |
| 26 |
invaluable during the Heartbleed certificate switchover. |
| 27 |
|
| 28 |
> >I think defaulting the net to HTTPS is a big step for more security and |
| 29 |
> >I think Gentoo should join the trend here. |
| 30 |
> ... DNSSEC with TLSA records comes to my mind |
| 31 |
I proposed TLSA on the lists last year, and got very few takers. |
| 32 |
DNSSEC has been in place for years already. |
| 33 |
|
| 34 |
-- |
| 35 |
Robin Hugh Johnson |
| 36 |
Gentoo Linux: Developer, Infrastructure Lead |
| 37 |
E-Mail : robbat2@g.o |
| 38 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives