[Systems] certificates / SNI, SSO / passwords

Sascha Silbe sascha-ml-reply-to-2010-2 at silbe.org
Sat Aug 28 06:35:55 EDT 2010


Excerpts from Luke Faraone's message of Thu Aug 26 16:56:57 +0200 2010:

>>> To me, it's not a matter of money--we're talking about $50/year for a
>>> wildcard certificate, quite affordable.
>> I suppose those $50 only cover *.sugarlabs.org, not a combined certificate
>> for *.sugarlabs.org + *.ole.org.
> From the people I talked with at StartSSL, they charge only for what
> requires them to do manual processing. Domain control validation is
> automated, therefore free.
Interesting, though it's still $50 per "year" (350 days) [1].

But from the FAQ I gather that we would still need a manual (= paid-for)
verification for non-SL domains as somebody else owns the domains:

[2]:
> Disclaimer: Obviously you are not allowed to create certificates for
> others. The identity and organization validation confirms only the
> subscriber. Doing so would violate the StartCom CA policy and all
> certificates would be revoked immediately upon detection.

[3]:
> You may perform Class 2 Identity (and Organization) validation and apply
> for their specific domain space by providing this authorization letter
> from the domain name owner. The validations are performed manually and
> are not supported below the Class 2 level.

As the domain validation is only valid for 30 days [1], we would need to
do this (and pay for it) every time we issue or renew a certificate
(the former can be avoided by using a single private key and single
wildcard certificate on all of our public-facing servers).

> http://forum.startcom.org/viewtopic.php?f=15&t=1802 is a user-compiled
> list of which browsers recognize this CA.
Not perfect, but it might have been a good compromise.

> I have not tested as to whether it works on the XO-1.
XOs are a no-brainer (at least in the long run) as we have full control
over Browse. We ship the CAcert root certificate since 116.

Sascha

[1] http://www.startssl.com/?app=25#20
[2] http://www.startssl.com/?app=25#27
[3] http://www.startssl.com/?app=25#28
--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
Url : http://lists.sugarlabs.org/private/systems/attachments/20100828/cff853fb/attachment.pgp 


More information about the Systems mailing list