Dear debian.org webmasters,
Currently debian.org use SSL certificate from Let's Encrypt (LE). That
is not bad, however there are cases when scammers get SSL certificate
from LE to secure their (untrustworthy?) sites. Even LE said that scam
prevention are outside their scope, due to their nature of
fully-automated Certificate Authority.
With this current problem of LE, I think it would be better to migrate
to commercial certificates issue by commercial Certificate Authority
(like DigiCert and COMODO). Unlike LE, we (debian.org) have to create
Certificate Signing Requests (CSR) which will be sent to those CA. We
have to pay to those CA in order to get certificates from them. They
also offer Extended Validation (EV) certificates, in which the browsers
will display Subject name (such as Debian) besides the green padlock.
For EV certificates, the CA have to verify whether the certificate
requester *really *represents the Subject (website). EV certificates can
be useful for large organizations like Debian.
I know that Debian have internal discussions about commercial
certificates before, but I would ask to this list anyway. Giving the
advantages of commercial SSL/TLS certificates as described above, would
commercial SSL/TLS make sense for debian.org website?
Regards, Bagas
