[OT] Why are you using the GPG / PGP keys?

[Pete Stephenson]

On 5/29/2013 7:28 PM, Johan Wevers wrote:
> It seems not to be recognised by my phone though so there is no
> advantage there over a selfsigned key.

That's odd. What phone do you have? They're certainly not in every
device, but their root is in iOS and Android devices, as well as pretty
much all the major desktop browsers.

> More of a disadvantage, since using a selfsigned key allows me to
> keep out all the personal details not strictly needed so when I'm on
> holiday peeping governments don't know easily who's server I'm
> contacting (OK, security by obscurity but still). And their key is
> valid only for 1 year, which is inconvenient.

Their free keys are only valid for one year, but paid users can get keys
that are valid for two years. That's not uncommon for many CAs.

> Further they deliver the private key to you, so they have access to it.
> A BIG security hole, especially since they're (also) US based, if they
> have access so does the US government via the Patriot act, who has
> probably already put me on their watch list for liking Wikileaks on
> Facebook. Thanks but no thanks.

They're based in Israel, not the US.

Additionally, it's an option to have them generate the private key for
customers who are too lazy to generate their own private key and CSR,
but it is not required: the certificate-creation procedure also allows
for customers to provide them with a CSR produced from a
customer-generated private key.

Cheers!
-Pete

ObDisclaimer: I'm a paid customer of StartSSL, but otherwise have no
connection or relationship with them.