I don't want take this thread off course, but suggestions for low cost certs would be appreciated. I don't like how Let's Encrypt works, else that would be the obvious solution.
Domain registration isn't free. Server time isn't free. Something like $20 a year would be fine. I already have a self signed cert for email, but would like to eventually encrypt my websites and attempt dnssec/dane. When Symantec first announced that they would compete with Let's Encrypt, I signed up with them. But it looks like their free cert program is more like you need to recruit customers for them. Original Message From: Sven Schwedas Sent: Wednesday, September 28, 2016 1:10 AM To: postfix-users@postfix.org Subject: Re: WoSign/StartCom CA in the news On 2016-09-28 00:31, Giovanni Harting wrote: > Correct me if I'm wrong, but that document you describe issues by > Mozilla and others, doesn't it state that it would only affect new > issues certs after a certain date? Yes, but most StartSSL/WoSign certificates are only valid for a year or less. So customers should start looking for alternative providers *now*, because a year-long block will affect almost all of them. > Am 09/28/16 um 00:29 schrieb Viktor Dukhovni: >> WoSign (who seemingly purchased StartCom) seem to have run into >> some compliance issues as reported by Firefox: >> >> >> http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/ >> >> >> Many SMTP servers are using certs from StartCom. In my DANE >> adoption survey, out of 2201 certificates used by DANE MX >> hosts 411 are issued by StartCom and 47 by WoSign. So that's >> just over 20% of observed certificates. While the rate is >> likely different for the larger SMTP ecosystem (DANE users >> are bleeding edge, not representative at this time), I expect >> that these CAs are still quite popular overall. >> >> If you're using StartCom/WoSign certs, and rely on them being >> verified by MUAs and/or peer MTAs. you may want to make >> contingency plans if Mozilla and perhaps others go through >> with delisting (or disabling) the related root CAs from >> their trusted CA bundles. >> > -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwe...@tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167
