On 12/16/2013 02:32 PM, Micah Lee wrote: > Also, looks like the CA is CAcert--an awesome CA, but not trusted by > browsers by default. I'd suggest getting a cert from StartSSL > [https://startssl.com/], since they're they only CA that gives certs for > free. And a wildcard cert (for *.gnupg.org) ends up costing like $60 USD.
Regardless of how you feel about the CA cartel in general, StartSSL is not the only member of the cartel offering gratis certs, particularly for well-known free software projects (Also, as a business in Israel, StartSSL is the target of an ongoing international boycott due to Israeli domestic policy -- http://www.bdsmovement.net/). Other members of the CA cartel that offer gratis certificates (particularly for free software projects) include: https://www.globalsign.com/ssl/ssl-open-source/ https://www.godaddy.com/ssl/ssl-open-source.aspx https://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html A not-insignificant cost for all of this stuff (regardless of whether the cert itself is gratis or not) is understanding and compliance with the terms of service of the particular CA, keeping the certificate up-to-date, and figuring out which silly rules each CA happens to impose (for example, some CAs appear to only issue certs over the end-entity's RSA key if it has 2048-bits or 4096-bits, but they will not accept any keylength in between; other CAs require certain fields to be present in the CSR that are meaningless, but must be filled in with "NA" (meaning, presumably, 'not applicable'), and so on). Some gratis certificates become non-gratis after the first year, and some CAs change their policies from year to year as well. Some of these issues may be less bad when dealing with CACert. I'd argue that none of these cartel members are actually any more reliable than CACert, but it may still be useful to get a certification from a cartel member just because of the existing lock-in situation. In the meantime, other mechanisms (like DANE or monkeysphere) can provide parallel certification paths for people who do not want to rely on the cartel. I'm happy to see more advocacy for stronger crypto by default for as many public-facing services as possible. But i don't think we should be advocating for use of a single vendor, particularly one in the dominant CA cartel. Werner, if i can help with configuring or maintaining the web server for gnupg.org to address some of these issues, please let me know. Regards, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
