[Ach] StartSSL for Business Sysadmins

Rainer Hoerbe rainer at hoerbe.at
Sun Jan 12 22:27:27 CET 2014

Am 12.01.2014 um 14:55 schrieb Axel Hübl <axel.huebl at web.de>:

> Hash: SHA512
> Just a side note on StartSSL fur business sysadmins:
>>>>> On 11.01.2014, at 21:36, Rainer Hoerbe <rainer at hoerbe.at>
>>>>> wrote:
>>>>> ... The question is why to pay for a certificate of low
>>>>> value, when you can get the same product  elsewhere for free,
>>>>> e.g. Startssl. ...
> StartSSL is only free for *private*/personal certificates:

I disagree. "Better" certificates do not buy your users any better trust, unless your PKI is used in a restricted and managed context (like a group of enterprises). It is part of the CA's business model to make customers think that extended validation and the like is improving security. But it will never provide value unless domain-validated certificates are abandoned. By paying high $ for certificates you will not change the ecosystem, or "lemon market" as Peter Gutmann describes it. 

That being said, I believe that X.509 and vendor-supplied default trust roots are not inherently bad and should be abandoned. But this PKI cannot be reformed. It seems more promising to use outside means to add trust to certificates, like certificate pinning or certificate transparency.

>> This electronic mail message was created by StartCom's
>> Administration Personnel:
>> Thank you for requesting a digital certificate with us. However
>> Class 1 certificates are not meant to be used for commercial 
>> activities or financial transactions according to our policy. For
>> this purpose please consider upgrading to Class 2 or higher 
>> verification level. Please see https://www.startssl.com/?app=32
>> about how to enroll. Thank you for your understanding.
> So if you intend to secure your online shops, your company servers or
> similar, you have to go for a Class 2 Cert which means you have to
> prove/pay the identity check *once a year* for $59.90:
>  https://www.startssl.com/?app=2
> With that you can get unlimited Class 2 Certs again during that period.
> If I am not totally mistaken, their Class 2 Certs are also valid for 2
> or 3 years (instead of 1 year for their free class 1 certs).

Legally, that is a recommendation from StartSSL (what a nice word for FUD:-), not a Terms of Use restriction.

- Rainer

> Best,
> Axel

More information about the Ach mailing list