bugs.gnupg.org TLS certificate

Ville Määttä mailing-lists at asatiifm.net
Fri Mar 13 14:57:16 CET 2015 

On 13.03.15 15:04, Mark H. Wood wrote:
> On Fri, Mar 13, 2015 at 05:55:53AM -0300, Hugo Osvaldo Barrera wrote:
>> > On 2015-03-13 08:21, Werner Koch wrote:
>>> > > On Fri, 13 Mar 2015 00:21, hugo at barrera.io said:
>>> > > 
>>>> > > > No need for a wildcard one. Just get one free certificate for each subdomain
>>>> > > > from StartSSL.
>>> > > 
>>> > > Definitely not.  It far easier to pay 10 Euro a year for one from
>>> > > Gandi.  But that is all not an issue, migrating Roundup to a newer
>>> > > version is more work.
>>> > > 
>>> > > 
>> > 
>> > I don't see what's easier (maybe it takes a few minutes less?), nor the point
>> > in paying for something you can have for free with the same quality.
> That is precisely the issue with free or even cheap certificates:
> they are likely *not* of the same quality.
> 
> A few years ago, I ordered my first certificate from a well-known CA.
> They charged us $159.00.  I *know* that they check up on new
> applicants: our security officer got a phone call from them, asking if
> I was legitimately representing the organization.  That certificate
> certified more than just "probably the same host that presented this
> certificate to you last time."

The CA cartel has specified clear and binding rules for the
participating CAs as to what level of validation is required. This is
overly simplified but they are essentially:

Domain validation (Class 1)
Organization validation (Class 2)
Extended Validation (Class 3)

Any automatically validated, i.e. some file on a URL or DNS check etc.
is a Class 1 cert. The rest require filing paper work and usually take
from hours to days to complete. And there is no reason for anyone to try
guessing which level a cert belongs to, they tell you the validation
beforehand.

> A CA that charges nothing cannot afford to do much (any?) checking of
> the assertions in my CSR.
…
> A free cert. may have all of the qualities that you need, but I
> recommend that you think as carefully about your choice of CA as you
> do about who you would have sign a PGP key.

Many CAs will be happy to sell a Class 1 certificate for 100-200$ or
more. Paying money for a cert doesn't necessarily make it any more
"certified". The CA business is a badly monopolized cartel where the old
farts have dug in years ago and are just counting the money :).

Am Organization cert is the same regardless of where it comes from (in
the cartel). They have their own auditing and other requirements that
make sure of it. And for the end user of a site it (should be) of no
concern which CA is behind the cert. Just what level of validation is
the cert. And how many users actually care? Not many (except for the
branded "green bar").

-- 
Ville

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150313/ea70db7a/attachment.sig>

More information about the Gnupg-users mailing list