Another step towards crowdfunding

Micah Lee micah at
Wed Dec 18 02:45:43 CET 2013

On 12/17/2013 04:10 PM, Doug Barton wrote:
> I have no connection to StartSSL other than "satisfied non-paying
> 'customer'" but they do the trick, and the price is right. There are
> other free options as well, as was pointed out here recently. It doesn't
> matter to me which one y'all choose, but please, choose one and let's
> move on.

Another argument for doing this.

The centralized public key infrastructure is badly flawed, but if you do
have a cert that's signed by a CA that Firefox and Chromium trust you
get added to the HSTS preload lists for those browsers.

Here's a bit about what HSTS is:

Chromium (and by extension Chrome) ships with a list of websites that
are preloaded with HSTS. Here info about getting in the Chromium list: (specifically, email Adam Langley at
agl at

Here's Firefox's feature definition for it's HSTS preload list:

I don't know what the policy is to get on their list, but Firefox
currently ships with it:

So my guess is just open a bug asking for to get added.

As far as I know these preload lists only force HTTPS for these domains.
I wonder if anyone could convince the browser vendors to also do
certificate pinning, bypassing PKI based on CAs altogether?

Micah Lee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131217/553c00f5/attachment.sig>

More information about the Gnupg-users mailing list