On Fri, Mar 27, 2015 at 04:44:16PM +0100, Marc Schiffbauer wrote: > >"Certificates are too expensive" > >Gentoo already has certs for all pages, so this is not an argument > >here, but if this ever becomes an issue there are a number of CAs these > >days that issue free certs. In summer the community based CA Let's > >encrypt will start which will be another option. > Or CAs which offer a "Cert Flatrate" for a small fee per year like > StartSSL.com Please don't promote StartSSL with their excessive demands for personal information: https://www.startssl.com/?app=34 Passport AND (Drivers License or National ID)
To be able to issue certs from them, EACH person in an organization needs to comply with that "Identity Validation", and the organization validation is on top of that: https://www.startssl.com/?app=35 How many people here would willingly send this level of detail to somebody in a foreign country? Does your home country not have strict regulations about who can keep a copy of this information (retaining this information is mostly prohibited by my local laws). We're with DigiCert instead, where only the organization was verified. They also have a good API for generating certificates, which was invaluable during the Heartbleed certificate switchover. > >I think defaulting the net to HTTPS is a big step for more security and > >I think Gentoo should join the trend here. > ... DNSSEC with TLSA records comes to my mind I proposed TLSA on the lists last year, and got very few takers. DNSSEC has been in place for years already. -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85