bugs.gnupg.org TLS certificate

Fri Mar 13 05:24:33 CET 2015

No, Doug, I really don't have an opinion. To do so, I would have had to
given some thought to the relative merits of both sides and crystallized an
opinion. Since SSL certificates do not directly apply to me at this moment,
I have not given it the attention it deserves, and so I cannot in good
faith have a reasoned opinion; so I don't--out of ignorance if you wish. My
point in posting those links was that I remembered seeing this in the past,
and thought it fair to bring to Werner's attention that there was some
controversy, so that he can, if he wishes, research both sides and come to
his own measured opinion.

Avi

Avi

----
User:Avraham

pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) <avi.wiki at gmail.com
>
   Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E
29F9

On Thu, Mar 12, 2015 at 11:57 PM, Doug Barton <dougb at dougbarton.email>
wrote:

> It's quite disingenuous to say you don't have an opinion, when obviously
> you do.
>
> This topic was debated at length on this list when Heartbleed happened.
> There are two camps:
>
> 1. Those who think that if you offer any kind of free service, you have to
> offer all related services for free as well. "I want it, so you must give
> it to me."
>
> 2. Those who think that companies like StartSSL who are offering
> tremendous value to the community for free have the right to recoup some of
> their operational expenses for requests that go outside the norm, and/or
> cannot be handled with an automated system.
>
> If you are in the first camp, you have every right to your belief, but
> that belief does not match up with the real world.
>
> If you are in the second camp, pull up a chair, I've got a cooler full of
> $BEVERAGE that I'll be happy to share. :)
>
> Doug
>
>
> On 3/12/15 7:27 PM, Avi wrote:
>
>> I have no opinion one way or the other re: StartSSL, but there are those
>> who do:
>>
>> <https://danconnor.com/post/50f65364a0fd5fd1f7000001/
>> avoid_startcom_startssl_like_the_plague_>
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=994033>
>> <https://www.techdirt.com/articles/20140409/11442426859/
>> shameful-security-startcom-charges-people-to-revoke-ssl-
>> certs-vulnerable-to-heartbleed.shtml>
>>
>> etc.
>>
>> Avi
>>
>>
>> ----
>> User:Avraham
>>
>> pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key)
>> <avi.wiki at gmail.com <mailto:avi.wiki at gmail.com>>
>>     Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019
>> F80E 29F9
>>
>> On Thu, Mar 12, 2015 at 7:47 PM, Mick Crane <mick.crane at gmail.com
>> <mailto:mick.crane at gmail.com>> wrote:
>>
>>
>>
>>      On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera <hugo at barrera.io
>>>>     <mailto:hugo at barrera.io>> wrote:
>>>>
>>>>     On 2015-03-11 17:38, Werner Koch wrote:
>>>>     On Wed, 11 Mar 2015 15:12, brian at minton.name
>>>>     <mailto:brian at minton.name> said:
>>>>
>>>>      git.gnupg.org <http://git.gnupg.org/>) don't use that
>>>>>     certificate.  Have you considered a wildcard
>>>>>     certificate?  I know this has been discussed before, e.g. at
>>>>>
>>>>
>>>>     Too expensive ;-).  To stop all these complaints I will add a so
>>>>     called
>>>>     real certificate but first I need to move the tracker to another
>>>>     machine.
>>>>
>>>>
>>>>     Shalom-Salam,
>>>>
>>>>      Werner
>>>>
>>>
>>>     No need for a wildcard one. Just get one free certificate for each
>>>     subdomain
>>>     from StartSSL.
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150313/d792c01d/attachment.html>