On Thu, Sep 27, 2007 at 06:47:36PM -0400, Caleb Tennis wrote: > Is there a reason that my Godaddy suggestion in the bug isn't being > considered? > Regardless of what you may think of them as a company, they offer the same > free type > of certificate to open source projects just like cacert, and with what looks > to be > considerable less overhead. I understand that cacert is more "open sourcy" > than > godaddy, but if they're as much of a roadblock as the Trustees are in this > case, > maybe going that route would enable us to move forward? See my comment #14, regarding regenerating the certs [1] each time the set of SSL vhosts on a box changes. For mail services, this isn't really an issue, but for web services it's a big one. Wildcards only work in Mozilla, and nowhere else [2].
[1] http://wiki.cacert.org/wiki/VhostTaskForce#head-7236c4e2c9932ef42056b3ff6d367053081887de [2] http://wiki.cacert.org/wiki/WildcardCertificates > > I don't agree that it's a big improvement. If you read the bug above, > > you'll note that we did at one stage have a 'Gentoo CA' that Infra ran > > for generating certs. > It is a big improvement. Not in security, but in perception. Ok, let's narrow this down for a moment. Of the SSL-using services that Gentoo has, which do we care about for users (NOT developers)? bugs.g.o and forums.g.o are the main two that I'm aware of. Are there any others that get high traffic of security-clueless users? If there aren't too many AND we can get a dedicated IP for each of those services, I'd like to suggest the following, as an easily doable and low-overhead (in terms of Trustees/paperwork) solution: 1. On the services identified, get extra IPs, and use the free GoDaddy certs. 2. On other services use the Gentoo-CA approach. -- Robin Hugh Johnson Gentoo Linux Developer & Infra Guy E-Mail : [EMAIL PROTECTED] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
pgpPfdX9080Uy.pgp
Description: PGP signature
