bugs.gnupg.org TLS certificate
Mark H. Wood
mwood at IUPUI.Edu
Fri Mar 13 14:04:30 CET 2015
On Fri, Mar 13, 2015 at 05:55:53AM -0300, Hugo Osvaldo Barrera wrote:
> On 2015-03-13 08:21, Werner Koch wrote:
> > On Fri, 13 Mar 2015 00:21, hugo at barrera.io said:
> > > No need for a wildcard one. Just get one free certificate for each subdomain
> > > from StartSSL.
> > Definitely not. It far easier to pay 10 Euro a year for one from
> > Gandi. But that is all not an issue, migrating Roundup to a newer
> > version is more work.
> I don't see what's easier (maybe it takes a few minutes less?), nor the point
> in paying for something you can have for free with the same quality.
That is precisely the issue with free or even cheap certificates:
they are likely *not* of the same quality.
A few years ago, I ordered my first certificate from a well-known CA.
They charged us $159.00. I *know* that they check up on new
applicants: our security officer got a phone call from them, asking if
I was legitimately representing the organization. That certificate
certified more than just "probably the same host that presented this
certificate to you last time."
A CA that charges nothing cannot afford to do much (any?) checking of
the assertions in my CSR. The resulting signature thus cannot have
some of the meaning that a more thoroughly investigated CSR can
A free cert. may have all of the qualities that you need, but I
recommend that you think as carefully about your choice of CA as you
do about who you would have sign a PGP key. The more you depend on
a certificate for *establishing* trust, the more it's going to cost
you, because it's going to cost the issuer more to provide that
assurance while protecting his own reputation.
Mark H. Wood
Lead Technology Analyst
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: Digital signature
More information about the Gnupg-users