X.509 certificates for https://gnupg.org [was: Re: Another step towards crowdfunding]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Dec 16 21:35:53 CET 2013

On 12/16/2013 02:32 PM, Micah Lee wrote:
> Also, looks like the CA is CAcert--an awesome CA, but not trusted by
> browsers by default. I'd suggest getting a cert from StartSSL
> [https://startssl.com/], since they're they only CA that gives certs for
> free. And a wildcard cert (for *.gnupg.org) ends up costing like $60 USD.

Regardless of how you feel about the CA cartel in general, StartSSL is
not the only member of the cartel offering gratis certs, particularly
for well-known free software projects  (Also, as a business in Israel,
StartSSL is the target of an ongoing international boycott due to
Israeli domestic policy -- http://www.bdsmovement.net/).

Other members of the CA cartel that offer gratis certificates
(particularly for free software projects) include:



A not-insignificant cost for all of this stuff (regardless of whether
the cert itself is gratis or not) is understanding and compliance with
the terms of service of the particular CA, keeping the certificate
up-to-date, and figuring out which silly rules each CA happens to impose
(for example, some CAs appear to only issue certs over the end-entity's
RSA key if it has 2048-bits or 4096-bits, but they will not accept any
keylength in between; other CAs require certain fields to be present in
the CSR that are meaningless, but must be filled in with "NA" (meaning,
presumably, 'not applicable'), and so on).  Some gratis certificates
become non-gratis after the first year, and some CAs change their
policies from year to year as well.  Some of these issues may be less
bad when dealing with CACert.

I'd argue that none of these cartel members are actually any more
reliable than CACert, but it may still be useful to get a certification
from a cartel member just because of the existing lock-in situation.  In
the meantime, other mechanisms (like DANE or monkeysphere) can provide
parallel certification paths for people who do not want to rely on the

I'm happy to see more advocacy for stronger crypto by default for as
many public-facing services as possible.  But i don't think we should be
advocating for use of a single vendor, particularly one in the dominant
CA cartel.

Werner, if i can help with configuring or maintaining the web server for
gnupg.org to address some of these issues, please let me know.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131216/823a4e08/attachment.sig>

More information about the Gnupg-users mailing list