bugs.gnupg.org TLS certificate

Mark H. Wood mwood at IUPUI.Edu
Fri Mar 13 14:04:30 CET 2015 

On Fri, Mar 13, 2015 at 05:55:53AM -0300, Hugo Osvaldo Barrera wrote:
> On 2015-03-13 08:21, Werner Koch wrote:
> > On Fri, 13 Mar 2015 00:21, hugo at barrera.io said:
> > 
> > > No need for a wildcard one. Just get one free certificate for each subdomain
> > > from StartSSL.
> > 
> > Definitely not.  It far easier to pay 10 Euro a year for one from
> > Gandi.  But that is all not an issue, migrating Roundup to a newer
> > version is more work.
> > 
> > 
> 
> I don't see what's easier (maybe it takes a few minutes less?), nor the point
> in paying for something you can have for free with the same quality.

That is precisely the issue with free or even cheap certificates:
they are likely *not* of the same quality.

A few years ago, I ordered my first certificate from a well-known CA.
They charged us $159.00.  I *know* that they check up on new
applicants: our security officer got a phone call from them, asking if
I was legitimately representing the organization.  That certificate
certified more than just "probably the same host that presented this
certificate to you last time."

A CA that charges nothing cannot afford to do much (any?) checking of
the assertions in my CSR.  The resulting signature thus cannot have
some of the meaning that a more thoroughly investigated CSR can
support.

A free cert. may have all of the qualities that you need, but I
recommend that you think as carefully about your choice of CA as you
do about who you would have sign a PGP key.  The more you depend on
a certificate for *establishing* trust, the more it's going to cost
you, because it's going to cost the issuer more to provide that
assurance while protecting his own reputation.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: </pipermail/attachments/20150313/e97344d7/attachment.sig>

More information about the Gnupg-users mailing list