[Mageia-sysadm] SSL certificate

Michael Scherer misc at zarb.org
Wed Feb 9 15:22:20 CET 2011

Le mercredi 09 février 2011 à 13:41 +0100, Romain d'Alverny a écrit :
> Hi there,
> reminding previous discussion about that. Misc built
> http://www.mageia.org/wiki/doku.php?id=web:certificates .
> I'd propose we go for Gandi for the following reasons:
>  * mageia.org domain is there already
>  * provides wildcard (120 € a year with their Standard, or 265 with
> their Pro offer - https://www.gandi.net/ssl/compare )
>  * you can get refund within 30 days if you have a pb
>  * accepts not-for-profits (no verification for Standard offer,
> requires papers for Pro offer)
>  * we can pay from France
>  * it's a decent one, regarding others' prices from the list
>  * Gandi is a good player AFAIK and reputation seems good to me
> Disclosure: I do know people there and I do use it; that's in part why
> I bother to recommand this solution.
> Misc, could you elaborate on the security record thing?
> (http://www.win.tue.nl/hashclash/rogue-ca/ ).

Well, not much besides that the rapidssl root certificate caused
troubles to the whole world PKI infrastructure ( ie, they were too lax
regarding their infrastructure ). But X509 is kinda crappy, as I said
several time :)

The risk would have been to have the root certificate to be removed from
browser for various reasons. ( ie, not better than a self signed
certificate ).

Another issue we had with rapidssl was for foo.barr.domain when the
certificate was *.domain. That's something we need to check and to test
for sure.

> For other solutions, Cacert is not an option so far.

Why ? Wobo and Pascal are both assurers, IIRC, as is rapsys.

Michael Scherer

More information about the Mageia-sysadm mailing list