On 19/06/19 12.38, Paul Wise wrote:
On Wed, Jun 19, 2019 at 12:51 PM Bagas Sanjaya wrote:
Unlike LE, we (debian.org) have to create Certificate Signing Requests (CSR)
which will be sent to those CA.
As a member of the Debian sysadmin team I can tell you that this is
never going to happen. Manually doing TLS is way too much work when
you have hundreds of subdomains and a terrible idea and we will never
go back to doing it.
EV certificates can be useful for large organizations like Debian.
EV certificates are becoming less useful over time, they are probably
a waste of money now:
https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
would commercial SSL/TLS make sense for debian.org website?
No.
Manually doing TLS is way too much work when
you have hundreds of subdomains and a terrible idea and we will never
go back to doing it.
It can be prevented by using wildcard certificates, which is valid for
all subdomains of a site (e.g. subdomain.mydomain.me but not
subdomain.subdomain.mydomain.me). In wildcard certificates,
*.mydomain.me is used as Subject Alternative Name (SAN).
would commercial SSL/TLS make sense for debian.org website?
No.
Why did you say like that? In fact, Ubuntu <https://ubuntu.com> and
RedHat <https://redhat.com> website use certificate from DigiCert.
If debian.org (www.d.o) also use DigiCert (DC) certificate, it would
make sense to use wildcard certificate without EV as you stated in the
reply. BTW, because DC site is probably down for now, I can't post here
about certificate pricing.
