Re: bugs.gnupg.org TLS certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/13/2015 10:02 AM, Ville Määttä wrote: On 13.03.15 15:27, Werner Koch wrote: The more expensive CAs are only selling you a fashionable background color for your the client's address bar. Essentially, that's it :). There are however clearly defined hard requirements to the Extended Validation, aka green bar level. That is, more involved validation of the organization and the person requesting the certificate. But those EV certs can be had for cheaper than hundreds of dollars per year. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users This topic brought to mind some interesting proposed RFCs that could essentially eliminate the need for centralized certificate authorities. Just wanted to get some opinions on the topics since its related to certificate issues and the slavery of security to an external authority. The combination of DNSSEC[1] and DANE[2] authentication can essentially make a self-signed certificate as legitimate as one signed by an official CA (if I'm not mistaken). There were some security implications IIRC, but not being a professional on the subject, I'm not sure what they were. I started implementing them on my own website and I am very interested in seeing these proposals become official standards. I'm also interested on anyone else's thoughts who might have more insight into the downsides or repercussions of relying strictly on such a system (if external CA's no longer existed, for example). [1]https://tools.ietf.org/html/rfc4035 [2]https://tools.ietf.org/html/rfc6698 - -- Antony Prince Key ID: 0x4F040744 Fingerprint: FE96 5B7F A708 18D3 B74B 959F A6E1 6242 4F04 0744 URL: https://hkps.pool.sks-keyservers.net/pks/lookup?op=getsearch=0xA6E162424F040744 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVAzkuAAoJEKbhYkJPBAdEYQkIAJtCFlUcXZP7jFBD8Ken4wvK 62TOFcwR8S8No0xmeFgCevwCzkB9B+wzFkI6mX1MvXIMZyhHUNstVqKw9Lq2lOj/ DTdyiV6L/XiZ9GpQd/2Ekd6GhwPGD4aoyenzrPsx1O0Ox5Wqc8cdG52qSiyaiQmT jCHy2A4TED087jtfzR7sBbHmHUatNQD5hYzAmK9ZJocfzUMrZO7hzhRfwA2lzLon UQdER3G+ob8L5/TpG/4Q3JoHCyECis3fws0HgUYobZz76zcQILod2nXTwlaEYFws 4Byz+iN7UEUWW+bFsDdOhHcZ2qP/sEbDKn9D1UKG+Y7xpIb9hHZinhlDPKg65Dk= =wVE0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/13/2015 6:31 PM, Damien Goutte-Gattat wrote: The fact that they are called “proposed standards” does not really mean anything. Many widely deployed and successful IETF protocols are still officially considered “proposed standard” and not “Internet standard”, that does not make them less official. I know what you mean. They were proposed years ago and still maintain the proposed status. I don’t have any more insight, but I’d say that the main downside of both DNSSEC and DANE is that almost no TLS client implements them… As far as I know, most if not all of the DNS resolvers immediately available on a client system don’t perform DNSSEC validation. I use BIND(named) as my DNS server and it is DNSSEC capable as well as DLV-Lookaside capable. Google's public DNS server are also capable of both as well since I used them a lot for DNS record timeout testing among other things. Even if we assume that the system DNS resolver is DNSSEC-capable, I don’t know of any browser (or any other kind of TLS client software) that care about DNSSEC and/or TLSA records. For Firefox, you have to install a third-party extension [1], and for Chrome, support of DANE is not on Google’s agenda [2] (they prefer to rely on Certificate Transparency [3] instead, which in my opinion does not solve any of the main problems of the PKIX system, but this is another subject). I have the Firefox extension myself and refuse to use Chrome since, IMO, its nothing more than a bloated version of the Gecko engine which does a lot of useless crap I'm not interested in. Your mileage may vary. LOL. But that is another problem with its adoption as a standard is that most (if not all) mainstream browsers don't support it natively. I am, too, very interested in DANE, and in fact I have great hopes in it (all my TLS servers have TLSA records, and my browser can check them). But we are very far from the point where nobody would need to rely on “trusted” external CAs. This I think is the main problem. It's adoption has not become mainstream. I'm of the conspiracy theory opinion that its the CA's who are making sure it stays in the background because otherwise they could potentially lose their entire market if everyone realized they didn't need a CA to properly and securely validate their certificates. (Pure personal opinion here, no facts to back it up). My domain is secured via DNSSEC and all my certificates have TLSA records to back them up. I'm no professional at server administration, so if I can do it, anyone can. Its disheartening to see something so promising pushed to the side for so long when it could be a major benefit as far as internet security is concerned. Thanks for your reply BTW. :) - -- Antony Prince Key ID: 0x4F040744 Fingerprint: FE96 5B7F A708 18D3 B74B 959F A6E1 6242 4F04 0744 URL: https://hkps.pool.sks-keyservers.net/pks/lookup?op=getsearch=0xA6E162424F040744 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVA47MAAoJEKbhYkJPBAdEpi0IALJwjhR0uILmFH2cFLADVEvv jc5/+kwchlkWbIOifLvuqgb7t8DEgVib5rlLBHu72iCIPcLw/1ACJs1xhxhqCSUA xsu7GXXKhA0F6hiev80LhUzVEI/O4Rd71akH6j8sTnUmuFBb1vXqINCn7q1O/O6i Bo2kNZyiR0hMk29S88hb78utmnOLs5eaFyX0hVCpZNc8oOv2EquHE4i3/a2d52/K Ij5BYCV5ZlK/epTHuzYAlKSUWaB1f8VcY1MjgHGsZ298lnR1d54UtPiyEtYuPRLR TrBx+GNhbziFGHFDOo8i4uAwio4ydG1VfdgbZazbxt2pf+Bgj3rvpzPE8iKtozk= =YDqt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/13/2015 9:28 PM, Antony Prince wrote: As far as I know, most if not all of the DNS resolvers immediately available on a client system don’t perform DNSSEC validation. I use BIND(named) as my DNS server and it is DNSSEC capable as well as DLV-Lookaside capable. Google's public DNS server are also capable of both as well since I used them a lot for DNS record timeout testing among other things. My mistake. You said resolvers, not servers. Only a minor difference there. Great! The server supports it! The resolver doesn't care! ;-) - -- Antony Prince Key ID: 0x4F040744 Fingerprint: FE96 5B7F A708 18D3 B74B 959F A6E1 6242 4F04 0744 URL: https://hkps.pool.sks-keyservers.net/pks/lookup?op=getsearch=0xA6E162424F040744 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVA5B7AAoJEKbhYkJPBAdEJRkH/1ZI3Yy+8myaVafwCHAZD6FR X0iucr95MW01lIpB6CGRslB6Lat0c7YdgiPFLOIuWBOuUrlWFZcdmysjwLabLfZv 1KwNaraOb1Gkxi92Pfq5B4yk2metgOSnN8bpKP2RE9fMLsm4G3Mtnmd5TEZ61LpG hCFuTfS5kcJQOb21pHHDLta/tV+xn02ZDx/7PULAnJ9kyGPJIQbyD8yrSxfauvil 2FGNKkjw6mbkFt+dmRA0/U5A9zUDEr61z3gJtWfsUm3RDAGDE2abioTdyiPMuVRW +2WCtDv8r4IdlBDUpaLSewukVG1kVy3L3GqPnKWH74jM7nwFJux76o4o9NbGseU= =9mpV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On 03/13/2015 08:23 PM, Antony Prince wrote: I am very interested in seeing these proposals become official standards. The fact that they are called “proposed standards” does not really mean anything. Many widely deployed and successful IETF protocols are still officially considered “proposed standard” and not “Internet standard”, that does not make them less official. DNSSEC and DANE are as much “official standards” as, for example, OpenPGP (RFC 4880) and the X.509 PKI system (RFC 5280). I'm also interested on anyone else's thoughts who might have more insight into the downsides or repercussions of relying strictly on such a system (if external CA's no longer existed, for example). I don’t have any more insight, but I’d say that the main downside of both DNSSEC and DANE is that almost no TLS client implements them… As far as I know, most if not all of the DNS resolvers immediately available on a client system don’t perform DNSSEC validation. Even if we assume that the system DNS resolver is DNSSEC-capable, I don’t know of any browser (or any other kind of TLS client software) that care about DNSSEC and/or TLSA records. For Firefox, you have to install a third-party extension [1], and for Chrome, support of DANE is not on Google’s agenda [2] (they prefer to rely on Certificate Transparency [3] instead, which in my opinion does not solve any of the main problems of the PKIX system, but this is another subject). I am, too, very interested in DANE, and in fact I have great hopes in it (all my TLS servers have TLSA records, and my browser can check them). But we are very far from the point where nobody would need to rely on “trusted” external CAs. [1] https://www.dnssec-validator.cz/ [2] https://www.imperialviolet.org/2015/01/17/notdane.html [3] http://www.certificate-transparency.org/what-is-ct signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On Fri, 13 Mar 2015 00:21, h...@barrera.io said: No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. Definitely not. It far easier to pay 10 Euro a year for one from Gandi. But that is all not an issue, migrating Roundup to a newer version is more work. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On 2015-03-13 08:21, Werner Koch wrote: On Fri, 13 Mar 2015 00:21, h...@barrera.io said: No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. Definitely not. It far easier to pay 10 Euro a year for one from Gandi. But that is all not an issue, migrating Roundup to a newer version is more work. I don't see what's easier (maybe it takes a few minutes less?), nor the point in paying for something you can have for free with the same quality. Personally, I can eat almost a week with 10 Euros, so I'd very much go with the free version. -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On Fri, Mar 13, 2015 at 05:55:53AM -0300, Hugo Osvaldo Barrera wrote: On 2015-03-13 08:21, Werner Koch wrote: On Fri, 13 Mar 2015 00:21, h...@barrera.io said: No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. Definitely not. It far easier to pay 10 Euro a year for one from Gandi. But that is all not an issue, migrating Roundup to a newer version is more work. I don't see what's easier (maybe it takes a few minutes less?), nor the point in paying for something you can have for free with the same quality. That is precisely the issue with free or even cheap certificates: they are likely *not* of the same quality. A few years ago, I ordered my first certificate from a well-known CA. They charged us $159.00. I *know* that they check up on new applicants: our security officer got a phone call from them, asking if I was legitimately representing the organization. That certificate certified more than just probably the same host that presented this certificate to you last time. A CA that charges nothing cannot afford to do much (any?) checking of the assertions in my CSR. The resulting signature thus cannot have some of the meaning that a more thoroughly investigated CSR can support. A free cert. may have all of the qualities that you need, but I recommend that you think as carefully about your choice of CA as you do about who you would have sign a PGP key. The more you depend on a certificate for *establishing* trust, the more it's going to cost you, because it's going to cost the issuer more to provide that assurance while protecting his own reputation. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On 13.03.15 15:04, Mark H. Wood wrote: On Fri, Mar 13, 2015 at 05:55:53AM -0300, Hugo Osvaldo Barrera wrote: On 2015-03-13 08:21, Werner Koch wrote: On Fri, 13 Mar 2015 00:21, h...@barrera.io said: No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. Definitely not. It far easier to pay 10 Euro a year for one from Gandi. But that is all not an issue, migrating Roundup to a newer version is more work. I don't see what's easier (maybe it takes a few minutes less?), nor the point in paying for something you can have for free with the same quality. That is precisely the issue with free or even cheap certificates: they are likely *not* of the same quality. A few years ago, I ordered my first certificate from a well-known CA. They charged us $159.00. I *know* that they check up on new applicants: our security officer got a phone call from them, asking if I was legitimately representing the organization. That certificate certified more than just probably the same host that presented this certificate to you last time. The CA cartel has specified clear and binding rules for the participating CAs as to what level of validation is required. This is overly simplified but they are essentially: Domain validation (Class 1) Organization validation (Class 2) Extended Validation (Class 3) Any automatically validated, i.e. some file on a URL or DNS check etc. is a Class 1 cert. The rest require filing paper work and usually take from hours to days to complete. And there is no reason for anyone to try guessing which level a cert belongs to, they tell you the validation beforehand. A CA that charges nothing cannot afford to do much (any?) checking of the assertions in my CSR. … A free cert. may have all of the qualities that you need, but I recommend that you think as carefully about your choice of CA as you do about who you would have sign a PGP key. Many CAs will be happy to sell a Class 1 certificate for 100-200$ or more. Paying money for a cert doesn't necessarily make it any more certified. The CA business is a badly monopolized cartel where the old farts have dug in years ago and are just counting the money :). Am Organization cert is the same regardless of where it comes from (in the cartel). They have their own auditing and other requirements that make sure of it. And for the end user of a site it (should be) of no concern which CA is behind the cert. Just what level of validation is the cert. And how many users actually care? Not many (except for the branded green bar). -- Ville signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On 13.03.15 15:27, Werner Koch wrote: The more expensive CAs are only selling you a fashionable background color for your the client's address bar. Essentially, that's it :). There are however clearly defined hard requirements to the Extended Validation, aka green bar level. That is, more involved validation of the organization and the person requesting the certificate. But those EV certs can be had for cheaper than hundreds of dollars per year. -- Ville signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On Fri, 13 Mar 2015 14:04, mw...@iupui.edu said: A CA that charges nothing cannot afford to do much (any?) checking of the assertions in my CSR. The resulting signature thus cannot have some of the meaning that a more thoroughly investigated CSR can Given the implicit cross certification of all CA in the browsers this does not matter. Except for those who tightly control their Root CA but that is a rare case and not really practical. The more expensive CAs are only selling you a fashionable background color for your the client's address bar. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
No, Doug, I really don't have an opinion. To do so, I would have had to given some thought to the relative merits of both sides and crystallized an opinion. Since SSL certificates do not directly apply to me at this moment, I have not given it the attention it deserves, and so I cannot in good faith have a reasoned opinion; so I don't--out of ignorance if you wish. My point in posting those links was that I remembered seeing this in the past, and thought it fair to bring to Werner's attention that there was some controversy, so that he can, if he wishes, research both sides and come to his own measured opinion. Avi Avi User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 On Thu, Mar 12, 2015 at 11:57 PM, Doug Barton dougb@dougbarton.email wrote: It's quite disingenuous to say you don't have an opinion, when obviously you do. This topic was debated at length on this list when Heartbleed happened. There are two camps: 1. Those who think that if you offer any kind of free service, you have to offer all related services for free as well. I want it, so you must give it to me. 2. Those who think that companies like StartSSL who are offering tremendous value to the community for free have the right to recoup some of their operational expenses for requests that go outside the norm, and/or cannot be handled with an automated system. If you are in the first camp, you have every right to your belief, but that belief does not match up with the real world. If you are in the second camp, pull up a chair, I've got a cooler full of $BEVERAGE that I'll be happy to share. :) Doug On 3/12/15 7:27 PM, Avi wrote: I have no opinion one way or the other re: StartSSL, but there are those who do: https://danconnor.com/post/50f65364a0fd5fd1f701/ avoid_startcom_startssl_like_the_plague_ https://bugzilla.mozilla.org/show_bug.cgi?id=994033 https://www.techdirt.com/articles/20140409/11442426859/ shameful-security-startcom-charges-people-to-revoke-ssl- certs-vulnerable-to-heartbleed.shtml etc. Avi User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com mailto:avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 On Thu, Mar 12, 2015 at 7:47 PM, Mick Crane mick.cr...@gmail.com mailto:mick.cr...@gmail.com wrote: On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera h...@barrera.io mailto:h...@barrera.io wrote: On 2015-03-11 17:38, Werner Koch wrote: On Wed, 11 Mar 2015 15:12, br...@minton.name mailto:br...@minton.name said: git.gnupg.org http://git.gnupg.org/) don't use that certificate. Have you considered a wildcard certificate? I know this has been discussed before, e.g. at Too expensive ;-). To stop all these complaints I will add a so called real certificate but first I need to move the tracker to another machine. Shalom-Salam, Werner No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
It's quite disingenuous to say you don't have an opinion, when obviously you do. This topic was debated at length on this list when Heartbleed happened. There are two camps: 1. Those who think that if you offer any kind of free service, you have to offer all related services for free as well. I want it, so you must give it to me. 2. Those who think that companies like StartSSL who are offering tremendous value to the community for free have the right to recoup some of their operational expenses for requests that go outside the norm, and/or cannot be handled with an automated system. If you are in the first camp, you have every right to your belief, but that belief does not match up with the real world. If you are in the second camp, pull up a chair, I've got a cooler full of $BEVERAGE that I'll be happy to share. :) Doug On 3/12/15 7:27 PM, Avi wrote: I have no opinion one way or the other re: StartSSL, but there are those who do: https://danconnor.com/post/50f65364a0fd5fd1f701/avoid_startcom_startssl_like_the_plague_ https://bugzilla.mozilla.org/show_bug.cgi?id=994033 https://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml etc. Avi User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com mailto:avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 On Thu, Mar 12, 2015 at 7:47 PM, Mick Crane mick.cr...@gmail.com mailto:mick.cr...@gmail.com wrote: On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera h...@barrera.io mailto:h...@barrera.io wrote: On 2015-03-11 17:38, Werner Koch wrote: On Wed, 11 Mar 2015 15:12, br...@minton.name mailto:br...@minton.name said: git.gnupg.org http://git.gnupg.org/) don't use that certificate. Have you considered a wildcard certificate? I know this has been discussed before, e.g. at Too expensive ;-). To stop all these complaints I will add a so called real certificate but first I need to move the tracker to another machine. Shalom-Salam, Werner No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
I have no opinion one way or the other re: StartSSL, but there are those who do: https://danconnor.com/post/50f65364a0fd5fd1f701/avoid_startcom_startssl_like_the_plague_ https://bugzilla.mozilla.org/show_bug.cgi?id=994033 https://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml etc. Avi User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 On Thu, Mar 12, 2015 at 7:47 PM, Mick Crane mick.cr...@gmail.com wrote: On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera h...@barrera.io wrote: On 2015-03-11 17:38, Werner Koch wrote: On Wed, 11 Mar 2015 15:12, br...@minton.name said: git.gnupg.org) don't use that certificate. Have you considered a wildcard certificate? I know this has been discussed before, e.g. at Too expensive ;-). To stop all these complaints I will add a so called real certificate but first I need to move the tracker to another machine. Shalom-Salam, Werner No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. I think Werner can make his own authority and certificate ? That sort of information stuff used to much more readily accessible on the net, like how to run your own DNS. For forgetful people is difficult to track things down now with so much available. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera h...@barrera.io wrote: On 2015-03-11 17:38, Werner Koch wrote: On Wed, 11 Mar 2015 15:12, br...@minton.name said: git.gnupg.org) don't use that certificate. Have you considered a wildcard certificate? I know this has been discussed before, e.g. at Too expensive ;-). To stop all these complaints I will add a so called real certificate but first I need to move the tracker to another machine. Shalom-Salam, Werner No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. I think Werner can make his own authority and certificate ? That sort of information stuff used to much more readily accessible on the net, like how to run your own DNS. For forgetful people is difficult to track things down now with so much available.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On Fri, Mar 13, 2015 at 12:21 AM, Hugo Osvaldo Barrera h...@barrera.io wrote: On 2015-03-11 17:38, Werner Koch wrote: On Wed, 11 Mar 2015 15:12, br...@minton.name said: git.gnupg.org) don't use that certificate. Have you considered a wildcard certificate? I know this has been discussed before, e.g. at Too expensive ;-). To stop all these complaints I will add a so called real certificate but first I need to move the tracker to another machine. Shalom-Salam, Werner No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. StartSSL's a great choice, as one can issue as many certificates as one wishes for validated domain names. Alternatively, several CAs[1][2] offer free certificates to open-source projects. Resellers[3][4] also offer quite reasonably-priced ($9 USD/year) certs as a standard price. Cheers! -Pete Full disclosure: I'm a paying customer of StartSSL, Gandi, and NameCheap, and have several certificates from each for different purposes. Other than being a customer, I have no other interest in those organizations. [1] https://www.godaddy.com/ssl/ssl-open-source.aspx [2] https://www.globalsign.com/en/ssl/ssl-open-source/ [3] https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx [4] https://www.gandi.net/ssl/standard -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On 2015-03-11 17:38, Werner Koch wrote: On Wed, 11 Mar 2015 15:12, br...@minton.name said: git.gnupg.org) don't use that certificate. Have you considered a wildcard certificate? I know this has been discussed before, e.g. at Too expensive ;-). To stop all these complaints I will add a so called real certificate but first I need to move the tracker to another machine. Shalom-Salam, Werner No need for a wildcard one. Just get one free certificate for each subdomain from StartSSL. Cheers, -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: bugs.gnupg.org TLS certificate
On Wed, 11 Mar 2015 15:12, br...@minton.name said: git.gnupg.org) don't use that certificate. Have you considered a wildcard certificate? I know this has been discussed before, e.g. at Too expensive ;-). To stop all these complaints I will add a so called real certificate but first I need to move the tracker to another machine. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
bugs.gnupg.org TLS certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I wanted to report a bug of gnupg, but my browser complained about the certificate (self-signed, and for kerckhoffs.g10code.com) rather than bugs.gnupg.org. I noticed that https://gnupg.org has a trusted certificate from Gandi Standard SSL CA, but bugs.gnupg.org (and other sites such as git.gnupg.org) don't use that certificate. Have you considered a wildcard certificate? I know this has been discussed before, e.g. at https://lists.gnupg.org/pipermail/gnupg-users/2013-December/048415.html thanks, - -- Brian Minton br...@minton.name http://brian.minton.name Live long, and prosper longer! OpenPGP fingerprint = 8213 71DD 4665 CF4F AE20 2206 0424 DC19 B678 A1A9 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iF4EAREIAAYFAlT95+kACgkQa46zoGXPuql5WQD/ekTmNWoSkZmaBN4R24Y59cHt rOYzvL0k0kWWOKTt0dwA/1T+07f4PT8zH5QQJdQxcK8HvoxZeJHbwH1uJqIrzKv1 =9aIo -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users