Re: bugs.gnupg.org TLS certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/13/2015 9:28 PM, Antony Prince wrote: >> As far as I know, most if not all of the DNS resolvers >> immediately >>> available on a client system don’t perform DNSSEC validation. > I use BIND(named) as my DNS server and it is DNSSEC capable as wel

Re: bugs.gnupg.org TLS certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/13/2015 6:31 PM, Damien Goutte-Gattat wrote: > The fact that they are called “proposed standards” does not really mean > anything. Many widely deployed and successful IETF protocols are still > officially considered “proposed standard” and not “

Re: bugs.gnupg.org TLS certificate

On 03/13/2015 08:23 PM, Antony Prince wrote: I am very interested in seeing these proposals become official standards. The fact that they are called “proposed standards” does not really mean anything. Many widely deployed and successful IETF protocols are still officially considered “proposed

Re: bugs.gnupg.org TLS certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/13/2015 10:02 AM, Ville Määttä wrote: > On 13.03.15 15:27, Werner Koch wrote: >> The more expensive CAs are only selling you a fashionable background >> color for your the client's address bar. > > Essentially, that's it :). > > There are howe

Re: bugs.gnupg.org TLS certificate

On 13.03.15 15:27, Werner Koch wrote: > The more expensive CAs are only selling you a fashionable background > color for your the client's address bar. Essentially, that's it :). There are however clearly defined hard requirements to the Extended Validation, aka "green bar" level. That is, more i

Re: bugs.gnupg.org TLS certificate

On 13.03.15 15:04, Mark H. Wood wrote: > On Fri, Mar 13, 2015 at 05:55:53AM -0300, Hugo Osvaldo Barrera wrote: >> > On 2015-03-13 08:21, Werner Koch wrote: >>> > > On Fri, 13 Mar 2015 00:21, h...@barrera.io said: >>> > > > > > No need for a wildcard one. Just get one free certificate for each

Re: bugs.gnupg.org TLS certificate

On Fri, 13 Mar 2015 14:04, mw...@iupui.edu said: > A CA that charges nothing cannot afford to do much (any?) checking of > the assertions in my CSR. The resulting signature thus cannot have > some of the meaning that a more thoroughly investigated CSR can Given the implicit cross certification o

Re: bugs.gnupg.org TLS certificate

On Fri, Mar 13, 2015 at 05:55:53AM -0300, Hugo Osvaldo Barrera wrote: > On 2015-03-13 08:21, Werner Koch wrote: > > On Fri, 13 Mar 2015 00:21, h...@barrera.io said: > > > > > No need for a wildcard one. Just get one free certificate for each > > > subdomain > > > from StartSSL. > > > > Definitel

Re: bugs.gnupg.org TLS certificate

On 2015-03-13 08:21, Werner Koch wrote: > On Fri, 13 Mar 2015 00:21, h...@barrera.io said: > > > No need for a wildcard one. Just get one free certificate for each subdomain > > from StartSSL. > > Definitely not. It far easier to pay 10 Euro a year for one from > Gandi. But that is all not an i

Re: bugs.gnupg.org TLS certificate

On Fri, 13 Mar 2015 00:21, h...@barrera.io said: > No need for a wildcard one. Just get one free certificate for each subdomain > from StartSSL. Definitely not. It far easier to pay 10 Euro a year for one from Gandi. But that is all not an issue, migrating Roundup to a newer version is more wor

Re: bugs.gnupg.org TLS certificate

No, Doug, I really don't have an opinion. To do so, I would have had to given some thought to the relative merits of both sides and crystallized an opinion. Since SSL certificates do not directly apply to me at this moment, I have not given it the attention it deserves, and so I cannot in good fait

Re: bugs.gnupg.org TLS certificate

It's quite disingenuous to say you don't have an opinion, when obviously you do. This topic was debated at length on this list when Heartbleed happened. There are two camps: 1. Those who think that if you offer any kind of free service, you have to offer all related services for free as well

Re: bugs.gnupg.org TLS certificate

I have no opinion one way or the other re: StartSSL, but there are those who do: < https://danconnor.com/post/50f65364a0fd5fd1f701/avoid_startcom_startssl_like_the_plague_ > < https://www.techdirt.com/articles/20140409/11442426859/shameful-

Re: bugs.gnupg.org TLS certificate

>> On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera wrote: >> >> On 2015-03-11 17:38, Werner Koch wrote: >> On Wed, 11 Mar 2015 15:12, br...@minton.name said: >> >>> git.gnupg.org) don't use that certificate. Have you considered a wildcard >>> certificate? I know this has been discussed before

Re: bugs.gnupg.org TLS certificate

On Fri, Mar 13, 2015 at 12:21 AM, Hugo Osvaldo Barrera wrote: > On 2015-03-11 17:38, Werner Koch wrote: >> On Wed, 11 Mar 2015 15:12, br...@minton.name said: >> >> > git.gnupg.org) don't use that certificate. Have you considered a wildcard >> > certificate? I know this has been discussed before,

Re: bugs.gnupg.org TLS certificate

On 2015-03-11 17:38, Werner Koch wrote: > On Wed, 11 Mar 2015 15:12, br...@minton.name said: > > > git.gnupg.org) don't use that certificate. Have you considered a wildcard > > certificate? I know this has been discussed before, e.g. at > > Too expensive ;-). To stop all these complaints I wil

Re: bugs.gnupg.org TLS certificate

On Wed, 11 Mar 2015 15:12, br...@minton.name said: > git.gnupg.org) don't use that certificate. Have you considered a wildcard > certificate? I know this has been discussed before, e.g. at Too expensive ;-). To stop all these complaints I will add a so called real certificate but first I need

bugs.gnupg.org TLS certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I wanted to report a bug of gnupg, but my browser complained about the certificate (self-signed, and for kerckhoffs.g10code.com) rather than bugs.gnupg.org. I noticed that https://gnupg.org has a trusted certificate from Gandi Standard SSL CA, but b