On Fri, Mar 27, 2015 at 11:44 AM, Marc Schiffbauer <msch...@gentoo.org> wrote: > * Hanno Böck schrieb am 27.03.15 um 15:33 Uhr: >> >> >> "Certificates are too expensive" >> Gentoo already has certs for all pages, so this is not an argument >> here, but if this ever becomes an issue there are a number of CAs these >> days that issue free certs. In summer the community based CA Let's >> encrypt will start which will be another option. > > > Or CAs which offer a "Cert Flatrate" for a small fee per year like > StartSSL.com
As has been pointed out, this is a moot issue for Gentoo. However, I'm not aware of anybody who both offers a free certificate and will let you change your private key if it is compromised free of charge. StartSSL in fact refuses to revoke certificates even when people publish their private keys publicly. If you buy a previously-used domain you might want to make sure that there isn't a StartSSL certificate floating around for it which is still valid... I don't think this has any bearing whatsoever on Gentoo, but it does annoy me when people say that there are free cert options out there, when the whole point of having a CA is security and the ones which are both trusted and free have some pretty horrible security practices. The current CA system is horribly broken, but not as broken as not using SSL, or browsers which don't make you click 5 buttons every time you visit a non-SSL website the way they do when you visit an SSL website with an untrusted certificate. :) -- Rich
