On 12/17/2013 04:10 PM, Doug Barton wrote: > I have no connection to StartSSL other than "satisfied non-paying > 'customer'" but they do the trick, and the price is right. There are > other free options as well, as was pointed out here recently. It doesn't > matter to me which one y'all choose, but please, choose one and let's > move on.
Another argument for doing this. The centralized public key infrastructure is badly flawed, but if you do have a cert that's signed by a CA that Firefox and Chromium trust you get added to the HSTS preload lists for those browsers. Here's a bit about what HSTS is: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security Chromium (and by extension Chrome) ships with a list of websites that are preloaded with HSTS. Here info about getting in the Chromium list: http://www.chromium.org/sts (specifically, email Adam Langley at a...@chromium.org). Here's Firefox's feature definition for it's HSTS preload list: https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List I don't know what the policy is to get on their list, but Firefox currently ships with it: https://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc So my guess is just open a bug asking for gnupg.org to get added. As far as I know these preload lists only force HTTPS for these domains. I wonder if anyone could convince the browser vendors to also do certificate pinning, bypassing PKI based on CAs altogether? -- Micah Lee
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
