[Ach] StartSSL for Business Sysadmins

Axel Hübl axel.huebl at web.de
Mon Jan 13 00:39:39 CET 2014

Hash: SHA512

Actually I did not want to start a discussion on CA's.
I just wanted add to the earlier comment on

"it's bad anyway - take a free one"
because it's not even an option for buisnesses.

Actually, for websites there is no well established alternative at all
so far (start bashing now).

Anyway, I agree with the Aarons: there are plenty of certificate
guides out there and how to configure them.

This guide should be about the crypto, not how to copy&paste a "save
installation" from zero.

On 12.01.2014 22:27, Rainer Hoerbe wrote:
> Am 12.01.2014 um 14:55 schrieb Axel Hübl <axel.huebl at web.de>:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>> Just a side note on StartSSL fur business sysadmins:
>>>>>> On 11.01.2014, at 21:36, Rainer Hoerbe
>>>>>> <rainer at hoerbe.at> wrote:
>>>>>> ... The question is why to pay for a certificate of low 
>>>>>> value, when you can get the same product  elsewhere for
>>>>>> free, e.g. Startssl. ...
>> StartSSL is only free for *private*/personal certificates:
> I disagree. "Better" certificates do not buy your users any better
> trust, unless your PKI is used in a restricted and managed context
> (like a group of enterprises). It is part of the CA's business
> model to make customers think that extended validation and the like
> is improving security. But it will never provide value unless
> domain-validated certificates are abandoned. By paying high $ for
> certificates you will not change the ecosystem, or "lemon market"
> as Peter Gutmann describes it.
> That being said, I believe that X.509 and vendor-supplied default
> trust roots are not inherently bad and should be abandoned. But
> this PKI cannot be reformed. It seems more promising to use outside
> means to add trust to certificates, like certificate pinning or
> certificate transparency.
>>> This electronic mail message was created by StartCom's 
>>> Administration Personnel:
>>> Thank you for requesting a digital certificate with us.
>>> However Class 1 certificates are not meant to be used for
>>> commercial activities or financial transactions according to
>>> our policy. For this purpose please consider upgrading to Class
>>> 2 or higher verification level. Please see
>>> https://www.startssl.com/?app=32 about how to enroll. Thank you
>>> for your understanding.
>> So if you intend to secure your online shops, your company
>> servers or similar, you have to go for a Class 2 Cert which means
>> you have to prove/pay the identity check *once a year* for
>> $59.90: https://www.startssl.com/?app=2
>> With that you can get unlimited Class 2 Certs again during that
>> period. If I am not totally mistaken, their Class 2 Certs are
>> also valid for 2 or 3 years (instead of 1 year for their free
>> class 1 certs).
> Legally, that is a recommendation from StartSSL (what a nice word
> for FUD:-), not a Terms of Use restriction.
> - Rainer
>> Best, Axel
Version: GnuPG v1.4.15 (GNU/Linux)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140113/fb1f8c68/attachment.bin>

More information about the Ach mailing list