librelist archives

« back to archive

Certificate Authority

Certificate Authority

From:
Carol Nichols
Date:
2012-07-10 @ 15:35
So I'm working on enabling HTTPS for rstat.us, and I'm really agonizing
over the choice of a Certificate Authority. I may be overthinking this, but
I'd like to be true to rstat.us' ideals of openness, simplicity, control
over your own data, etc. Here are some things I'm considering:

- Security record of the CA (ex: comodo is out
http://www.theregister.co.uk/2011/03/30/comodo_gate_latest/)
- Ethical record of the company that owns the CA (ex: GoDaddy is out
https://mashable.com/2011/12/30/go-daddy-now-officially-opposes-sopa/)
- Country/government affiliation (ex: CNNIC is out
https://lwn.net/Articles/372386/)
- Included in major browsers to be simple for end users to use without
scary messages (ex: CAcert is out http://www.cacert.org/)

I haven't looked into every CA yet, but here are two that I haven't found
anything AS bad as the above yet:

- StartSSL, pros: free, cons: based in Israel, could that be construed as
taking a side in the Israeli/Palestinian conflict?
- GeoTrust, pros: cheap, available through namecheap, cons: owned by
Symantec, a really big company

Any others? Any thoughts?

-Carol

Re: [rstatus] Certificate Authority

From:
Stephen Paul Weber
Date:
2012-07-10 @ 15:45
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Somebody claiming to be Carol Nichols wrote:
>I may be overthinking this, but
>I'd like to be true to rstat.us' ideals of openness, simplicity, control
>over your own data, etc.
>
>I haven't looked into every CA yet, but here are two that I haven't found
>anything AS bad as the above yet:
>
>- StartSSL, pros: free, cons: based in Israel, could that be construed as
>taking a side in the Israeli/Palestinian conflict?
>- GeoTrust, pros: cheap, available through namecheap, cons: owned by
>Symantec, a really big company

It may be just me, but I seriously think you're overthinking this.  No one 
even looks at what CA you use, and I wouldn't trust any of them 
security-wise.

Who is going to think that buying a product from a company based in Israel 
is taking a side in an ethnic conflict?  If we're worried about that sort of 
thing, someone can be upset no matter who you choose, if they really want to 
be upset.

- -- 
Stephen Paul Weber, @singpolyma
See <http://singpolyma.net> for how I prefer to be contacted
edition right joseph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJP/E4lAAoJENEcKRHOUZzeBBIQAKQ+JpiEfk1jQx8UHSZDFI07
SmdFXWQKYcLfz/KPIJrkJe1CN4Q5gCRoDN+HwVQlmbg8VElTqIL0DZoaNvP/XSJw
KGMY0rDvCSRXopNACelRLmhwQm6vwKaqD9wakcONGB3Pc3tDsSxv5bhqwcXxYDXP
ajy805zGexRbNT4pesXerSRV07YH2FKHUlFq7w11/WksQ8E4M5UGerLzqqmE9PkF
jSEnX8DPKULpfLOPGWDC7tn+NbVGjDBGKIWupWIn8aP0ctZVBHbK6iOD5+voTUvW
nXasy94MoqkXQErm16lJ4TTf1tws1ImdF5rd7tZJfXNuoMl9RqkmqoCoh1N1hF+z
CCpct824sDTwmcS5NxpSBnLtXcX9aLkVeE+QWKu0wtTkqfzjnQlQSkYDl+JUo9Ka
I6HvFSPPOWg+yX0azGhMU4HY89je1iUouexHSh7UoCz1+PdweH+CqoYwItHSOuhG
K+uBeeLi62AzdkjLty0FxRGVZkv0fYeEvr6MVpow/ZoZsB/1oHequMq3VOWaC9ie
EVBvsBRhETg6Aua1ar1R9nEynR0nwVIgLoTPIOrGAZOU+Py4JBbbLcAhylpQcGbO
v63N+Cf5mVToRwDrobqAOUR+4Teg+GqPYr+oKt4DcbcFEf/rPMPvB6AYSL3CJHAl
tT5OX9XbBg4UafqbBmOc
=OCor
-----END PGP SIGNATURE-----

Re: [rstatus] Certificate Authority

From:
Colin Dean
Date:
2012-07-10 @ 15:55
Aye. It's important to consider the technical merits of an SSL CA, but I 
think it gets to a point where you'd find grounds to eliminate all of 
them. 

Others to consider:

RapidSSL
Thawte
VeriSign

I have an unused one from NameCheap that I may eventually use for 
pittco.org. The interface seems simple enough. 

-- 
Colin Dean
cad@cad.cx


On Tuesday, July 10, 2012 at 11:45 AM, Stephen Paul Weber wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Somebody claiming to be Carol Nichols wrote:
> > I may be overthinking this, but
> > I'd like to be true to rstat.us (http://rstat.us)' ideals of openness,
simplicity, control
> > over your own data, etc.
> > 
> > I haven't looked into every CA yet, but here are two that I haven't found
> > anything AS bad as the above yet:
> > 
> > - StartSSL, pros: free, cons: based in Israel, could that be construed as
> > taking a side in the Israeli/Palestinian conflict?
> > - GeoTrust, pros: cheap, available through namecheap, cons: owned by
> > Symantec, a really big company
> > 
> 
> 
> It may be just me, but I seriously think you're overthinking this. No one 
> even looks at what CA you use, and I wouldn't trust any of them 
> security-wise.
> 
> Who is going to think that buying a product from a company based in Israel 
> is taking a side in an ethnic conflict? If we're worried about that sort of 
> thing, someone can be upset no matter who you choose, if they really want to 
> be upset.
> 
> - -- 
> Stephen Paul Weber, @singpolyma
> See <http://singpolyma.net> for how I prefer to be contacted
> edition right joseph
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> 
> iQIcBAEBCAAGBQJP/E4lAAoJENEcKRHOUZzeBBIQAKQ+JpiEfk1jQx8UHSZDFI07
> SmdFXWQKYcLfz/KPIJrkJe1CN4Q5gCRoDN+HwVQlmbg8VElTqIL0DZoaNvP/XSJw
> KGMY0rDvCSRXopNACelRLmhwQm6vwKaqD9wakcONGB3Pc3tDsSxv5bhqwcXxYDXP
> ajy805zGexRbNT4pesXerSRV07YH2FKHUlFq7w11/WksQ8E4M5UGerLzqqmE9PkF
> jSEnX8DPKULpfLOPGWDC7tn+NbVGjDBGKIWupWIn8aP0ctZVBHbK6iOD5+voTUvW
> nXasy94MoqkXQErm16lJ4TTf1tws1ImdF5rd7tZJfXNuoMl9RqkmqoCoh1N1hF+z
> CCpct824sDTwmcS5NxpSBnLtXcX9aLkVeE+QWKu0wtTkqfzjnQlQSkYDl+JUo9Ka
> I6HvFSPPOWg+yX0azGhMU4HY89je1iUouexHSh7UoCz1+PdweH+CqoYwItHSOuhG
> K+uBeeLi62AzdkjLty0FxRGVZkv0fYeEvr6MVpow/ZoZsB/1oHequMq3VOWaC9ie
> EVBvsBRhETg6Aua1ar1R9nEynR0nwVIgLoTPIOrGAZOU+Py4JBbbLcAhylpQcGbO
> v63N+Cf5mVToRwDrobqAOUR+4Teg+GqPYr+oKt4DcbcFEf/rPMPvB6AYSL3CJHAl
> tT5OX9XbBg4UafqbBmOc
> =OCor
> -----END PGP SIGNATURE-----
> 
> 

Re: [rstatus] Certificate Authority

From:
Carol Nichols
Date:
2012-07-11 @ 13:54
Thank you everyone for your thoughts :D I decided to go with StartSSL--
@singpolyma convinced me completely by saying "I don't want to give *any*
CA *any* money"  :D

I don't have the DNS settings quite right yet, but it should be up soon.

-Carol


On Tue, Jul 10, 2012 at 11:55 AM, Colin Dean <cad@cad.cx> wrote:

> Aye. It's important to consider the technical merits of an SSL CA, but I
> think it gets to a point where you'd find grounds to eliminate all of them.
>
> Others to consider:
>
> RapidSSL
> Thawte
> VeriSign
>
> I have an unused one from NameCheap that I may eventually use for
> pittco.org. The interface seems simple enough.
>
> --
> Colin Dean
> cad@cad.cx
>
> On Tuesday, July 10, 2012 at 11:45 AM, Stephen Paul Weber wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Somebody claiming to be Carol Nichols wrote:
>
> I may be overthinking this, but
> I'd like to be true to rstat.us' ideals of openness, simplicity, control
> over your own data, etc.
>
> I haven't looked into every CA yet, but here are two that I haven't found
> anything AS bad as the above yet:
>
> - StartSSL, pros: free, cons: based in Israel, could that be construed as
> taking a side in the Israeli/Palestinian conflict?
> - GeoTrust, pros: cheap, available through namecheap, cons: owned by
> Symantec, a really big company
>
>
> It may be just me, but I seriously think you're overthinking this. No one
> even looks at what CA you use, and I wouldn't tru st any of them
> security-wise.
>
> Who is going to think that buying a product from a company based in Israel
> is taking a side in an ethnic conflict? If we're worried about that sort
> of
> thing, someone can be upset no matter who you choose, if they really want
> to
> be upset.
>
> - --
> Stephen Paul Weber, @singpolyma
> See <http://singpolyma.net> for how I prefer to be contacted
> edition right joseph
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCAAGBQJP/E4lAAoJENEcKRHOUZzeBBIQAKQ+JpiEfk1jQx8UHSZDFI07
> SmdFXWQKYcLfz/KPIJrkJe1CN4Q5gCRoDN+HwVQlmbg8VElTqIL0DZoaNvP/XSJw
> KGMY0rDvCSRXopNACelRLmhwQm6vwKaqD9wakcONGB3Pc3tDsSxv5bhqwcXxYDXP
> ajy805zGexRbNT4pesXerSRV07YH2FKHUlFq7w11/WksQ8E4M5UGerLzqqmE9PkF
> jSEnX8DPKULpfLOPGWDC7tn+ NbVGjDBGKIWupWIn8aP0ctZVBHbK6iOD5+voTUvW
> nXasy94MoqkXQErm16lJ4TTf1tws1ImdF5rd7tZJfXNuoMl9RqkmqoCoh1N1hF+z
> CCpct824sDTwmcS5NxpSBnLtXcX9aLkVeE+QWKu0wtTkqfzjnQlQSkYDl+JUo9Ka
> I6HvFSPPOWg+yX0azGhMU4HY89je1iUouexHSh7UoCz1+PdweH+CqoYwItHSOuhG
> K+uBeeLi62AzdkjLty0FxRGVZkv0fYeEvr6MVpow/ZoZsB/1oHequMq3VOWaC9ie
> EVBvsBRhETg6Aua1ar1R9nEynR0nwVIgLoTPIOrGAZOU+Py4JBbbLcAhylpQcGbO
> v63N+Cf5mVToRwDrobqAOUR+4Teg+GqPYr+oKt4DcbcFEf/rPMPvB6AYSL3CJHAl
> tT5OX9XbBg4UafqbBmOc
> =OCor
> -----END PGP SIGNATURE-----
>
>
>

Re: [rstatus] Certificate Authority

From:
Carol Nichols
Date:
2012-07-10 @ 16:32
Investing in Israeli companies that have had a hand in demolishing
Palestinian settlements was actually just a big issue with the
Presbyterians:


http://www.post-gazette.com/stories/news/us/in-close-vote-presbyterian-church-rejects-divesting-in-firms-that-aid-israeli-occupation-643607/

Rstat.us is a project that was started with particular values in mind.. if
this was a personal site of mine, I'd probably have purchased a comodo cert
by now, but I want to do my best to keep as many of rstat.us' dependencies
in line with its values as possible.

-Carol


On Tue, Jul 10, 2012 at 11:45 AM, Stephen Paul Weber <
singpolyma@singpolyma.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Somebody claiming to be Carol Nichols wrote:
> >I may be overthinking this, but
> >I'd like to be true to rstat.us' ideals of openness, simplicity, control
> >over your own data, etc.
> >
> >I haven't looked into every CA yet, but here are two that I haven't found
> >anything AS bad as the above yet:
> >
> >- StartSSL, pros: free, cons: based in Israel, could that be construed as
> >taking a side in the Israeli/Palestinian conflict?
> >- GeoTrust, pros: cheap, available through namecheap, cons: owned by
> >Symantec, a really big company
>
> It may be just me, but I seriously think you're overthinking this.  No one
> even looks at what CA you use, and I wouldn't trust any of them
> security-wise.
>
> Who is going to think that buying a product from a company based in Israel
> is taking a side in an ethnic conflict?  If we're worried about that sort
> of
> thing, someone can be upset no matter who you choose, if they really want
> to
> be upset.
>
> - --
> Stephen Paul Weber, @singpolyma
> See <http://singpolyma.net> for how I prefer to be contacted
> edition right joseph
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCAAGBQJP/E4lAAoJENEcKRHOUZzeBBIQAKQ+JpiEfk1jQx8UHSZDFI07
> SmdFXWQKYcLfz/KPIJrkJe1CN4Q5gCRoDN+HwVQlmbg8VElTqIL0DZoaNvP/XSJw
> KGMY0rDvCSRXopNACelRLmhwQm6vwKaqD9wakcONGB3Pc3tDsSxv5bhqwcXxYDXP
> ajy805zGexRbNT4pesXerSRV07YH2FKHUlFq7w11/WksQ8E4M5UGerLzqqmE9PkF
> jSEnX8DPKULpfLOPGWDC7tn+NbVGjDBGKIWupWIn8aP0ctZVBHbK6iOD5+voTUvW
> nXasy94MoqkXQErm16lJ4TTf1tws1ImdF5rd7tZJfXNuoMl9RqkmqoCoh1N1hF+z
> CCpct824sDTwmcS5NxpSBnLtXcX9aLkVeE+QWKu0wtTkqfzjnQlQSkYDl+JUo9Ka
> I6HvFSPPOWg+yX0azGhMU4HY89je1iUouexHSh7UoCz1+PdweH+CqoYwItHSOuhG
> K+uBeeLi62AzdkjLty0FxRGVZkv0fYeEvr6MVpow/ZoZsB/1oHequMq3VOWaC9ie
> EVBvsBRhETg6Aua1ar1R9nEynR0nwVIgLoTPIOrGAZOU+Py4JBbbLcAhylpQcGbO
> v63N+Cf5mVToRwDrobqAOUR+4Teg+GqPYr+oKt4DcbcFEf/rPMPvB6AYSL3CJHAl
> tT5OX9XbBg4UafqbBmOc
> =OCor
> -----END PGP SIGNATURE-----
>

Re: [rstatus] Certificate Authority

From:
Michael Stevens
Date:
2012-07-10 @ 15:40
On Tue, Jul 10, 2012 at 11:35:20AM -0400, Carol Nichols wrote:
> So I'm working on enabling HTTPS for rstat.us, and I'm really agonizing
> over the choice of a Certificate Authority. I may be overthinking this, but
> I'd like to be true to rstat.us' ideals of openness, simplicity, control
> over your own data, etc. Here are some things I'm considering:
> 
> - Security record of the CA (ex: comodo is out
> http://www.theregister.co.uk/2011/03/30/comodo_gate_latest/)
> - Ethical record of the company that owns the CA (ex: GoDaddy is out
> https://mashable.com/2011/12/30/go-daddy-now-officially-opposes-sopa/)
> - Country/government affiliation (ex: CNNIC is out
> https://lwn.net/Articles/372386/)
> - Included in major browsers to be simple for end users to use without
> scary messages (ex: CAcert is out http://www.cacert.org/)
> 
> I haven't looked into every CA yet, but here are two that I haven't found
> anything AS bad as the above yet:
> 
> - StartSSL, pros: free, cons: based in Israel, could that be construed as
> taking a side in the Israeli/Palestinian conflict?
> - GeoTrust, pros: cheap, available through namecheap, cons: owned by
> Symantec, a really big company
> 
> Any others? Any thoughts?

I bought a cheap one from gandi once, it seemed to work. StartSSL looked
like it had complicated id requirements when I looked at it, but I think
they only applied in some cases, so you might be fine, and I forget the
detail.

Michael

Re: [rstatus] Certificate Authority

From:
Steve Klabnik
Date:
2012-07-10 @ 15:36
I'm like 90% sure I used NameCheap to buy my last certificate.

Re: [rstatus] Certificate Authority

From:
Carol Nichols
Date:
2012-07-10 @ 15:39
But *which* certificate did you choose? NameCheap is just a reseller, not a
CA.
-Carol


On Tue, Jul 10, 2012 at 11:36 AM, Steve Klabnik <steve@steveklabnik.com>wrote:

> I'm like 90% sure I used NameCheap to buy my last certificate.
>

Re: [rstatus] Certificate Authority

From:
Steve Klabnik
Date:
2012-07-10 @ 15:41
> But *which* certificate did you choose? NameCheap is just a reseller, not a
> CA.

Oh, yeah. Uhhh looking through my account history, it was 'Comodo EssentialSSL.'

It's what I'm using for the book.