[Ach] StartSSL for Business Sysadmins

Axel Hübl axel.huebl at web.de
Mon Jan 13 00:39:39 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Actually I did not want to start a discussion on CA's.
I just wanted add to the earlier comment on

"it's bad anyway - take a free one"
because it's not even an option for buisnesses.

Actually, for websites there is no well established alternative at all
so far (start bashing now).

Anyway, I agree with the Aarons: there are plenty of certificate
guides out there and how to configure them.

This guide should be about the crypto, not how to copy&paste a "save
installation" from zero.

Axel
On 12.01.2014 22:27, Rainer Hoerbe wrote:
> 
> Am 12.01.2014 um 14:55 schrieb Axel Hübl <axel.huebl at web.de>:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>> 
>> Just a side note on StartSSL fur business sysadmins:
>> 
>>>>>> On 11.01.2014, at 21:36, Rainer Hoerbe
>>>>>> <rainer at hoerbe.at> wrote:
>>>>>> 
>>>>>> ... The question is why to pay for a certificate of low 
>>>>>> value, when you can get the same product  elsewhere for
>>>>>> free, e.g. Startssl. ...
>> 
>> StartSSL is only free for *private*/personal certificates:
> 
> I disagree. "Better" certificates do not buy your users any better
> trust, unless your PKI is used in a restricted and managed context
> (like a group of enterprises). It is part of the CA's business
> model to make customers think that extended validation and the like
> is improving security. But it will never provide value unless
> domain-validated certificates are abandoned. By paying high $ for
> certificates you will not change the ecosystem, or "lemon market"
> as Peter Gutmann describes it.
> 
> That being said, I believe that X.509 and vendor-supplied default
> trust roots are not inherently bad and should be abandoned. But
> this PKI cannot be reformed. It seems more promising to use outside
> means to add trust to certificates, like certificate pinning or
> certificate transparency.
> 
>> 
>>> This electronic mail message was created by StartCom's 
>>> Administration Personnel:
>>> 
>>> Thank you for requesting a digital certificate with us.
>>> However Class 1 certificates are not meant to be used for
>>> commercial activities or financial transactions according to
>>> our policy. For this purpose please consider upgrading to Class
>>> 2 or higher verification level. Please see
>>> https://www.startssl.com/?app=32 about how to enroll. Thank you
>>> for your understanding.
>> 
>> So if you intend to secure your online shops, your company
>> servers or similar, you have to go for a Class 2 Cert which means
>> you have to prove/pay the identity check *once a year* for
>> $59.90: https://www.startssl.com/?app=2
>> 
>> With that you can get unlimited Class 2 Certs again during that
>> period. If I am not totally mistaken, their Class 2 Certs are
>> also valid for 2 or 3 years (instead of 1 year for their free
>> class 1 certs).
> 
> Legally, that is a recommendation from StartSSL (what a nice word
> for FUD:-), not a Terms of Use restriction.
> 
> - Rainer
> 
>> 
>> Best, Axel
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQJ8BAEBCgBmBQJS0ye7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDMjAzN0EzNzlGM0JGMzFGQ0VFOTJDNENE
RDNGNjFFNUYxMTMyRjY1AAoJEN0/YeXxEy9lzZwQAImwyj9eH2xuEPdrdDRbZCDT
AMeK06NSFI7ES+vVlMhRPw9DR10IfIVtpz6hDAGJYtaIbMYZB+zAG0hWCVePDy8e
eCLrB7ISyUxf5zudXkySEPbXdywjBN8kmBGOw1aH9Oidy6PWGQu/4/5PYGRksa+L
qYCy1A9n4aDoeW0iw18wAY9lwOW0uXv6kRNiiC1MNRv2qhh8TrTQwp3QdxVQM3PS
7FK1hIw+hqsH4Nw/dL3sIwYqhBT8GU/7BvVQOj6y8JUl9J/DwAw43B42XXdUzcL+
+s2UtjLZ0RV9hkz7qvZy+B9QzbOMprBRlOg2qaSiKoX2CEPRbsZW+82kvE7o+MFe
nhP1iiU0tabcGOBMy9iyysL559B19XxdSA+yPHSp7b434moktZLa7ncNQoAuOD22
MOcP7/G6GdO56P/f9bPAmfHnO2gYcxeU+N8zFVewrA9KTgVmNAEgYYadrTV4yoZT
c34UuqSjvJXT8k8oHKi7ZS65qqlaA5jw2XbwYLYY6lj5wfD5wzd6WfjIwELwCOw/
NnLX5LpjjRQEgR1Mv2y7AzGgYZbA3iraCt6YFkw+YxxkI0sNnlCDPN+WgsCfdsci
V5Gx4KUTb0PdciJH7WZot3HtnGo/cx8oMErFS/LYZwj0zC5MTmDha3tWm5CsslDA
FAgBCJLCjy5DYrZSEcx6
=wuYh
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140113/fb1f8c68/attachment.bin>


More information about the Ach mailing list