bugs.gnupg.org TLS certificate

Doug Barton dougb at dougbarton.email
Fri Mar 13 04:57:45 CET 2015

It's quite disingenuous to say you don't have an opinion, when obviously 
you do.

This topic was debated at length on this list when Heartbleed happened. 
There are two camps:

1. Those who think that if you offer any kind of free service, you have 
to offer all related services for free as well. "I want it, so you must 
give it to me."

2. Those who think that companies like StartSSL who are offering 
tremendous value to the community for free have the right to recoup some 
of their operational expenses for requests that go outside the norm, 
and/or cannot be handled with an automated system.

If you are in the first camp, you have every right to your belief, but 
that belief does not match up with the real world.

If you are in the second camp, pull up a chair, I've got a cooler full 
of $BEVERAGE that I'll be happy to share. :)


On 3/12/15 7:27 PM, Avi wrote:
> I have no opinion one way or the other re: StartSSL, but there are those
> who do:
> <https://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_>
> <https://bugzilla.mozilla.org/show_bug.cgi?id=994033>
> <https://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml>
> etc.
> Avi
> ----
> User:Avraham
> pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key)
> <avi.wiki at gmail.com <mailto:avi.wiki at gmail.com>>
>     Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019
> F80E 29F9
> On Thu, Mar 12, 2015 at 7:47 PM, Mick Crane <mick.crane at gmail.com
> <mailto:mick.crane at gmail.com>> wrote:
>>>     On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera <hugo at barrera.io
>>>     <mailto:hugo at barrera.io>> wrote:
>>>     On 2015-03-11 17:38, Werner Koch wrote:
>>>     On Wed, 11 Mar 2015 15:12, brian at minton.name
>>>     <mailto:brian at minton.name> said:
>>>>     git.gnupg.org <http://git.gnupg.org/>) don't use that
>>>>     certificate.  Have you considered a wildcard
>>>>     certificate?  I know this has been discussed before, e.g. at
>>>     Too expensive ;-).  To stop all these complaints I will add a so
>>>     called
>>>     real certificate but first I need to move the tracker to another
>>>     machine.
>>>     Shalom-Salam,
>>>      Werner
>>     No need for a wildcard one. Just get one free certificate for each
>>     subdomain
>>     from StartSSL.

More information about the Gnupg-users mailing list