CACert came up in my search. I will look into it. Suggestions always appreciated since I'm quite comfortable with people out there knowing more than me.
I didn't like the Let's Encrypt 90 day deal with mysterious upload to your server. It bugs me. About the only outside control of my server I accept is spam RBLs, because really I have no alternative. I understand there is github code out there (perhaps your simp_le) as an alternative to whatever Let's Encrypt does regarding updates, but that seems just as dicey. Original Message From: Sven Schwedas Sent: Wednesday, September 28, 2016 1:34 AM To: li...@lazygranch.com; postfix-users@postfix.org Subject: Re: WoSign/StartCom CA in the news On 2016-09-28 10:25, li...@lazygranch.com wrote: > I don't want take this thread off course, but suggestions for low cost certs > would be appreciated. I don't like how Let's Encrypt works, else that would > be the obvious solution. "how Let's Encrypt works" is a bit vague. Domain verification is standard for a lot of registrars (and safer than what StartSSL does, which is allowing you to breach their TOS if you pay hush money), and there are LE clients that don't automatically fuck up your server configs, if that's your concern (we use simp_le, e.g., it just generates the certs and everything else is up to you). > Domain registration isn't free. Server time isn't free. Something like $20 a > year would be fine. I already have a self signed cert for email, but would > like to eventually encrypt my websites and attempt dnssec/dane. Have you considered CACert? Otherwise it's either scummy registrars that ought to be the next on the chop block (like Comodo) or gets expensive fast. (Or both.) > When Symantec first announced that they would compete with Let's Encrypt, I > signed up with them. But it looks like their free cert program is more like > you need to recruit customers for them. Same with the others. Of course they want to stay in business, even if it's dead already. > > > Original Message > From: Sven Schwedas > Sent: Wednesday, September 28, 2016 1:10 AM > To: postfix-users@postfix.org > Subject: Re: WoSign/StartCom CA in the news > > On 2016-09-28 00:31, Giovanni Harting wrote: >> Correct me if I'm wrong, but that document you describe issues by >> Mozilla and others, doesn't it state that it would only affect new >> issues certs after a certain date? > > Yes, but most StartSSL/WoSign certificates are only valid for a year or > less. So customers should start looking for alternative providers *now*, > because a year-long block will affect almost all of them. > >> Am 09/28/16 um 00:29 schrieb Viktor Dukhovni: >>> WoSign (who seemingly purchased StartCom) seem to have run into >>> some compliance issues as reported by Firefox: >>> >>> >>> http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/ >>> >>> >>> Many SMTP servers are using certs from StartCom. In my DANE >>> adoption survey, out of 2201 certificates used by DANE MX >>> hosts 411 are issued by StartCom and 47 by WoSign. So that's >>> just over 20% of observed certificates. While the rate is >>> likely different for the larger SMTP ecosystem (DANE users >>> are bleeding edge, not representative at this time), I expect >>> that these CAs are still quite popular overall. >>> >>> If you're using StartCom/WoSign certs, and rely on them being >>> verified by MUAs and/or peer MTAs. you may want to make >>> contingency plans if Mozilla and perhaps others go through >>> with delisting (or disabling) the related root CAs from >>> their trusted CA bundles. >>> >> > -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwe...@tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167
