On Jun 15, 2016, at 7:57 AM, ????????? ???????? <nevis2us at infoline.su> wrote:> > Nowadays it's quite easy to get normal ssl certificates for free. E.g. > > http://www.startssl.com > http://buy.wosign.com/freeToday, I would prefer Let?s Encrypt: https://letsencrypt.org/ It is philosophically aligned with the open source software world, rather than act as bait for a company that would prefer to sell you a cert instead. I?m only aware of one case where you absolutely cannot use Let?s Encrypt, but it also affects the other public CAs: you can?t get a publicly-trusted cert for a machine without a publicly-recognized and -visible domain name. For that, you still need to use self-signed certs or certs signed by a private CA.
On Wed, June 15, 2016 9:17 am, Warren Young wrote:> On Jun 15, 2016, at 7:57 AM, ?????????????????? ???????????????? > <nevis2us at infoline.su> wrote: >> >> Nowadays it's quite easy to get normal ssl certificates for free. E.g. >> >> http://www.startssl.com >> http://buy.wosign.com/free > > Today, I would prefer Let???s Encrypt: > > https://letsencrypt.org/ > > It is philosophically aligned with the open source software world, rather > than act as bait for a company that would prefer to sell you a cert > instead.I have got question for experts. I just opened settings of Firefox (latest, on FreeBSD), and took a look at the list of Certification Authorities it comes with. I do see WoSign there (though I'd prefer to avoid my US located servers have certificates signed by authority located in China, hence located sort of behind "the great firewall of China" - call me superstitious). I do not see neither starttls.com nor letsencrypt.org between Authorities certificates. This means (correct me if I'm wrong) that client has to import one of these Certification Authorities certificates, otherwise server certificate signed by one of these authorities is on the same page with my private Certification Authority (which I used to run for over 10 years, then in my kickstart I had my CA certificate imported into CA of clients - but other clients, like laptops had to download, install and trus my CA certificate). Of course, this is a notch better than "self-signed" server certificates, as you only need to import CA certificate once, whereas you will need to import self-signed server certificates for each of the servers... Am I missing something? Also: with CA signing server certificate there is a part that is "verification of identity" of domain or server owner. Namely, that whoever requested certificate indeed exists as physical entity (person, organization or company) accessible at some physical address etc. This is costly process, and as I remember, free automatically signed certificates were only available from Certification Authority whose CA certificated had no chance to be included into CA bundles shipped with browsers, systems etc. For that exact reason: there is "no identity verification". The last apparently is costly process. So, someone, please, set all of us straight: what is the state of the art today? Disclaimer: I have purely academic interest in this myself: my institution makes CA signed certificated for my servers at no cost for me, and that authority is in the CA Cert bundles. Valeri> > I???m only aware of one case where you absolutely cannot use Let???s > Encrypt, but it also affects the other public CAs: you can???t get a > publicly-trusted cert for a machine without a publicly-recognized and > -visible domain name. For that, you still need to use self-signed certs > or certs signed by a private CA.++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Jun 15, 2016, at 8:02 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > I do not see neither starttls.com <http://starttls.com/> nor letsencrypt.org <http://letsencrypt.org/> between Authorities > certificates. This means (correct me if I'm wrong) that client has to > import one of these Certification Authorities certificates, otherwise > server certificate signed by one of these authorities is on the same page > with my private Certification Authority (which I used to run for over 10 > years, then in my kickstart I had my CA certificate imported into CA of > clients - but other clients, like laptops had to download, install and > trus my CA certificate). Of course, this is a notch better than > "self-signed" server certificates, as you only need to import CA > certificate once, whereas you will need to import self-signed server > certificates for each of the servers...For my personal needs I use free StartSSL certs and the authority appears as StartCom, Ltd. in Firefox. In my experience it is already a trusted authority in most/all browsers. At least I didn?t have to manually trust it, and I haven?t run into one that complains about it.
On Wed, Jun 15, 2016 at 10:02:57AM -0500, Valeri Galtsev wrote:> > On Wed, June 15, 2016 9:17 am, Warren Young wrote: > >> > >> Nowadays it's quite easy to get normal ssl certificates for free. E.g. > > > > Today, I would prefer Let???s Encrypt: > > > > https://letsencrypt.org/ > > > > It is philosophically aligned with the open source software world, rather > > than act as bait for a company that would prefer to sell you a cert > > instead. > > I have got question for experts. I just opened settings of Firefox > (latest, on FreeBSD), and took a look at the list of Certification > Authorities it comes with. > > I do see WoSign there (though I'd prefer to avoid my US located servers > have certificates signed by authority located in China, hence located sort > of behind "the great firewall of China" - call me superstitious). > > I do not see neither starttls.com nor letsencrypt.org between Authorities > certificates.I'm not an expert by any means, but I use letsencrypt (mostly for testing) and it's always worked for me in FreeBSD with Firefox, without any special effort on my part. You can try https://srobb.net which is using letsencrypt as its cert. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
On Jun 15, 2016, at 9:02 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > I do see WoSign there (though I'd prefer to avoid my US located servers > have certificates signed by authority located in China, hence located sort > of behind "the great firewall of China" - call me superstitious).That?s a perfectly valid concern. The last I heard, modern browsers trust 1,100 CAs! Surely some of those CAs have interests that do not align with my interests.> I do not see neither starttls.com nor letsencrypt.org between Authorities > certificates.That?s because they are not top-tier CAs.> This means (correct me if I'm wrong) that client has to > import one of these Certification Authorities certificatesYou must be unaware of certificate chaining: https://en.wikipedia.org/wiki/Intermediate_certificate_authorities Even top-tier CAs use certificate chaining. The proper way to run a CA is to keep your private root signing key off-line, using it only to sign some number of intermediate CA signing certs, which are the ones used to generate the certs publicly distributed by that CA. Doing so lets a CA abandon an escaped private key by issuing a CRL for an escaped private key. The CA then just generates a new signing key and continues on with that; it doesn?t have to get its new signing key into all the TLS clients?s trusted signing key stores because the new key?s trust chain goes back to the still-private offline root key. Without that layer of protection, if their private signing key somehow escapes, the CA is basically out of business until they convince all the major browsers to distribute their replacement public key.> - but other clients, like laptops had to download, install and > trus my CA certificate).If those laptops are Windows laptops on an AD domain, there is a way to push CA public keys out to them automatically. (Don?t ask me how, I?m not a Windows admin. I?m just aware that it can be done.)> Also: with CA signing server certificate there is a part that is > "verification of identity" of domain or server owner. Namely, that whoever > requested certificate indeed exists as physical entity (person, > organization or company) accessible at some physical address etc. This is > costly process, and as I remember, free automatically signed certificates > were only available from Certification Authority whose CA certificated had > no chance to be included into CA bundles shipped with browsers, systems > etc. For that exact reason: there is "no identity verification". The last > apparently is costly process.I?m not exactly sure what you?re asking here. If you are simply pointing out that the free certificate providers ? including Let?s Encrypt ? do not do public records background checks, D&B checks, phone calls to phone numbers on your web page and DNS records, etc. to prove that you are who you say you are, that is true. Let?s Encrypt is not in competition with EV certificates, for example: https://en.wikipedia.org/wiki/Extended_Validation_Certificate The term of art for what Let?s Encrypt provides is a domain validation certificate. That is, it only proves that the holder was in control of the domain name at the time the cert was generated.> So, someone, please, set all of us straight: what is the state of the art > today?The answer could fill books. In a forum like this, you can only expect answers to specific questions for such broad topics.
On 15.06.2016 16:17, Warren Young wrote:> On Jun 15, 2016, at 7:57 AM, ????????? ????????<nevis2us at infoline.su> wrote: >> Nowadays it's quite easy to get normal ssl certificates for free. E.g. >> >> http://www.startssl.com >> http://buy.wosign.com/free > Today, I would prefer Let?s Encrypt: > > https://letsencrypt.org/ > > It is philosophically aligned with the open source software world, rather than act as bait for a company that would prefer to sell you a cert instead. > > I?m only aware of one case where you absolutely cannot use Let?s Encrypt,there is more than one case; just think of trust; lets encrypt only trusts for 3 months; would you really except in an onlineshop, someone trusts this shop? let us think something like this: "when the CA only trusts for 3 months, how should I trust for a longer period which is important for warranty ..."> but it also affects the other public CAs: you can?t get a publicly-trusted cert for a machine without a publicly-recognized and -visible domain name. For that, you still need to use self-signed certs or certs signed by a private CA.A private CA is the same as self signed;
On 06/16/2016 10:53 AM, Walter H. wrote:> lets encrypt only trusts for 3 months; would you really except in an > onlineshop, someone trusts this shop? > let us think something like this: "when the CA only trusts for 3 > months, how should I trust for a longer period > which is important for warranty ..."I doubt that most users check the dates on SSL certificates, unless they are familiar enough with TLS to understand that a shorter validity period is better for security.
On Thu, June 16, 2016 12:53 pm, Walter H. wrote:> On 15.06.2016 16:17, Warren Young wrote: >> On Jun 15, 2016, at 7:57 AM, ?????????????????? >> ????????????????<nevis2us at infoline.su> wrote: >>> Nowadays it's quite easy to get normal ssl certificates for free. E.g. >>> >>> http://www.startssl.com >>> http://buy.wosign.com/free >> Today, I would prefer Let???s Encrypt: >> >> https://letsencrypt.org/ >> >> It is philosophically aligned with the open source software world, >> rather than act as bait for a company that would prefer to sell you a >> cert instead. >> >> I???m only aware of one case where you absolutely cannot use Let???s >> Encrypt, > there is more than one case; just think of trust; > > lets encrypt only trusts for 3 months;Could you elaborate on that? Thanks. Valeri would you really except in an> onlineshop, someone trusts this shop? > let us think something like this: "when the CA only trusts for 3 months, > how should I trust for a longer period > which is important for warranty ..." > >> but it also affects the other public CAs: you can???t get a >> publicly-trusted cert for a machine without a publicly-recognized and >> -visible domain name. For that, you still need to use self-signed >> certs or certs signed by a private CA. > A private CA is the same as self signed; > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Wed, June 15, 2016 16:17, Warren Young wrote:> On Jun 15, 2016, at 7:57 AM, ????????? ???????? <nevis2us at infoline.su> > wrote: >> >> Nowadays it's quite easy to get normal ssl certificates for free. E.g. >> >> http://www.startssl.com >> http://buy.wosign.com/free > > Today, I would prefer Let?s Encrypt: > > https://letsencrypt.org/here is the better alternative for lazy people https://www.startssl.com/StartEncrypt its based on the root certificates of StartSSL and automatic as Let's encrypt;