OT Digital Certificates
marthter
marthter-FFYn/CNdgSA at public.gmane.org
Thu Jan 6 22:12:51 UTC 2011
On 11-01-06 03:13 PM, Ivan Avery Frey wrote:
> I have digital certificates from startssl.com that are expiring soon.
> I've never used them. Currently my only use for them would be for
> encrypting and signing emails. Instead of getting new ones from
> startssl.com or should I roll my own? Should I get a free one from
> Verisign?
>
> Ivan.
I've been using cacert.org since around 2006. It is a free
collaborative approach to SSL certificates based on government-issued
identity documents, where other previously-assured community members
view your documents to verify that you are who you claim to be. They
also have a process for verifying domain ownership for server
certificates (not necessarily tied to the personal identity side of things).
Their stated goal for all of that time has been to get their root
certificate included into the pre-installed sets in various products.
It seems they are in quite a few distros now but they still aren't in
Firefox as there still seem to be some major hoops to jump through to
allow them to pass an audit (in lieu of the prohibitively expensive
WebTrust audit) http://wiki.cacert.org/InclusionStatus
So you still have to put the root certificate into your browser before
all the cacert-issued certificates will be trusted. (However this is
not difficult, we even have our end users do it).
http://www.cacert.org/index.php?id=3, (e.g. for Firefox, check boxes for
"trust this CA to identify web sites / e-mail users / software developers".)
So in some ways it is not much butter than self-signed,but for your
stated purposes, I would think it would be fine, plus it gives you some
management GUI, a way to revoke, some CRL (certificate revocation list)
infrastructure, etc. In other ways it is much better as you can do
wildcard certificates, multi-domain certificates on the same server
(using subject-alt-name part of the standard), and I think even code
signing (additional set of hoops).
I think the free-from-Verisign (and similar) option will likely have
restrictions like including your e-mail address but cannot include your
name.
Also I know a few list members besides myself are "assured" and are
"assurers" in cacert parlance so it has something of a critical mass in
Toronto.
Good luck.
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20110106/0bb3dac3/attachment.html>
More information about the Legacy
mailing list