[Mageia-sysadm] SSL certificate
Michael Scherer
misc at zarb.org
Wed Feb 9 15:22:20 CET 2011
Le mercredi 09 février 2011 à 13:41 +0100, Romain d'Alverny a écrit :
> Hi there,
>
> reminding previous discussion about that. Misc built
> http://www.mageia.org/wiki/doku.php?id=web:certificates .
>
> I'd propose we go for Gandi for the following reasons:
> * mageia.org domain is there already
> * provides wildcard (120 € a year with their Standard, or 265 with
> their Pro offer - https://www.gandi.net/ssl/compare )
> * you can get refund within 30 days if you have a pb
> * accepts not-for-profits (no verification for Standard offer,
> requires papers for Pro offer)
> * we can pay from France
> * it's a decent one, regarding others' prices from the list
> * Gandi is a good player AFAIK and reputation seems good to me
>
> Disclosure: I do know people there and I do use it; that's in part why
> I bother to recommand this solution.
>
> Misc, could you elaborate on the security record thing?
> (http://www.win.tue.nl/hashclash/rogue-ca/ ).
Well, not much besides that the rapidssl root certificate caused
troubles to the whole world PKI infrastructure ( ie, they were too lax
regarding their infrastructure ). But X509 is kinda crappy, as I said
several time :)
The risk would have been to have the root certificate to be removed from
browser for various reasons. ( ie, not better than a self signed
certificate ).
Another issue we had with rapidssl was for foo.barr.domain when the
certificate was *.domain. That's something we need to check and to test
for sure.
> For other solutions, Cacert is not an option so far.
Why ? Wobo and Pascal are both assurers, IIRC, as is rapsys.
--
Michael Scherer
More information about the Mageia-sysadm
mailing list