1 |
On Fri, Mar 27, 2015 at 04:44:16PM +0100, Marc Schiffbauer wrote: |
2 |
> >"Certificates are too expensive" |
3 |
> >Gentoo already has certs for all pages, so this is not an argument |
4 |
> >here, but if this ever becomes an issue there are a number of CAs these |
5 |
> >days that issue free certs. In summer the community based CA Let's |
6 |
> >encrypt will start which will be another option. |
7 |
> Or CAs which offer a "Cert Flatrate" for a small fee per year like |
8 |
> StartSSL.com |
9 |
Please don't promote StartSSL with their excessive demands for personal |
10 |
information: |
11 |
https://www.startssl.com/?app=34 |
12 |
Passport AND (Drivers License or National ID) |
13 |
|
14 |
To be able to issue certs from them, EACH person in an organization |
15 |
needs to comply with that "Identity Validation", and the organization |
16 |
validation is on top of that: |
17 |
https://www.startssl.com/?app=35 |
18 |
|
19 |
How many people here would willingly send this level of detail to |
20 |
somebody in a foreign country? Does your home country not have strict |
21 |
regulations about who can keep a copy of this information (retaining |
22 |
this information is mostly prohibited by my local laws). |
23 |
|
24 |
We're with DigiCert instead, where only the organization was verified. |
25 |
They also have a good API for generating certificates, which was |
26 |
invaluable during the Heartbleed certificate switchover. |
27 |
|
28 |
> >I think defaulting the net to HTTPS is a big step for more security and |
29 |
> >I think Gentoo should join the trend here. |
30 |
> ... DNSSEC with TLSA records comes to my mind |
31 |
I proposed TLSA on the lists last year, and got very few takers. |
32 |
DNSSEC has been in place for years already. |
33 |
|
34 |
-- |
35 |
Robin Hugh Johnson |
36 |
Gentoo Linux: Developer, Infrastructure Lead |
37 |
E-Mail : robbat2@g.o |
38 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |