On 5/29/2013 8:11 PM, Johan Wevers wrote: >> They're based in Israel, not the US. > > Wether that's better, worse or just the same is another question.
Indeed. > But they do have US offices (they list one in New York) so they're > subject to the Patriot Act. Do they? My understanding is that it's just a VoIP number that connects to their Israeli offices. International calls to US numbers are often considerably less expensive than those to, say, Israel, so that makes some sense. See <https://www.startssl.com/?app=27> > There is a reason that some cloud services in Europe broadly > advertise with the fact thay they keep absolutely no relationship > with the US. Indeed. I'm not a lawyer, but I don't see how having a phone number in the US means that the whole organization is subject to the Patriot Act. Even if it was, I'm not really seeing the major issue here: they claim that there are no copies made of server-generated private keys at any stage, so they wouldn't have any secret material to turn over. Since you can submit CSRs for locally-generated keys then there's nothing private at all for them to reveal other than the information in the certificate, which is already public. If they were subject to the Patriot Act, they might be compelled to produce a new cert for a specific hostname (though I suspect they'd just cancel the US VoIP line if that issue came up), but how is this different from the many other US-based CAs? >> Additionally, it's an option to have them generate the private key for >> customers who are too lazy to generate their own private key and CSR, >> but it is not required: the certificate-creation procedure also allows >> for customers to provide them with a CSR produced from a >> customer-generated private key. > > OK, I could not find that after a brief look, they did wrote about > sending a private key with password protection over the mail. See <https://www.startssl.com/?app=25#44>: "The wizard doesn't force subscribers to use private keys generated by the CA, instead clicking on Skip at the step for private key generation allows to submit a certificate request (CSR) prepared by the subscriber. Some server software even requires this, most notable Java based software. The creation of the private key by the wizard is completely optional and at the sole risk of the subscriber." Anyway, the overall point was "WebTrust-audited and widely-trusted certificates are available for free from StartSSL, just as inexpensive ones are available from other CAs in various countries, so cost should not be a factor if one wishes to have secure, public-facing systems". Using self-signed certs is perfectly suitable for internal systems or those used by an individual or a small number of users, but for things requiring access by the public (who might otherwise be suspicious or technically unwilling or unable to configure their browser/mail client/etc. to trust a self-signed cert) it makes a lot of sense to use a cert signed by a CA. Cheers! -Pete _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
