nanog mailing list archives
Re: SSL Certificates
From: Jeroen Massar <jeroen () unfix org>
Date: Thu, 16 Feb 2012 17:21:33 +0100
On 2012-02-16 17:13 , Christopher Morrow wrote:
On Thu, Feb 16, 2012 at 8:33 AM, John R. Levine <johnl () iecc com> wrote:I suppose if you buy a SSL certificate, you should be looking for your CA to have insurance to reimburse the cost of the certificate should that happen, and an ironclad "refund" clause in the agreement/contract under which a SSL cert is issuedThese certs cost $9.00. You're not going to get much of an insurance policy at that price.again, startssl.com - free. why pay? it's (as you say) not actually buying you anything except random bits anyway... if you can get them for free, why would you not do that?
Because they do not have a wildcard one for 'free', which is useful when one wants to serve eg example.com but als www.example.com from the same location along with other variants of the hostname. Except for that, it is a rather great offer. Though one can of course just serve the example.com one and force people after they accept to the main site. I tend to stick CAcert ones on hosts and tell people to either just accept that single cert and store it for future checks or just install the CAcert root cert, that covers a lot of hosts in one go, given of course that one trusts what CAcert is doing, but that goes for anything. The method that Firefox is using with the unchained certificates "save this unverified cert and as long as it is the same it is great" is in that respect similar to SSH hostkeys, one can verify those offline and just keep on using them as as long as that cert is the same you are likely talking to the same host (ssl etc still don't cover compromised hosts). In the end, they are just bits, and this whole verification thing at the verification of owner adds nothing except for an ease-of-use factor for the non-techy folks on the Internet. Greets, Jeroen
Current thread:
- Re: SSL Certificates Ask Bjørn Hansen (Feb 15)
- Re: SSL Certificates John Levine (Feb 15)
- Re: SSL Certificates George Herbert (Feb 15)
- Re: SSL Certificates Jimmy Hess (Feb 15)
- Re: SSL Certificates John R. Levine (Feb 16)
- Re: SSL Certificates Christopher Morrow (Feb 16)
- Re: SSL Certificates John R. Levine (Feb 16)
- Re: SSL Certificates Jeroen Massar (Feb 16)
- Re: SSL Certificates startssl.com James Triplett (Feb 16)
- Re: SSL Certificates George Herbert (Feb 15)
- Re: SSL Certificates Leo Bicknell (Feb 16)
- Re: SSL Certificates John Levine (Feb 16)
- Re: SSL Certificates John Levine (Feb 15)
- Re: SSL Certificates George Herbert (Feb 16)