[Discuss] free SSL certs from the EFF

Edward Ned Harvey (blu) blu at nedharvey.com
Thu Nov 20 07:42:39 EST 2014


> From: Tom Metro [mailto:tmetro+blu at gmail.com]
> 
> I
> explained to them the site had nothing to do with financial
> transactions, to which they responded:

Thanks for that.  I had no idea - as you said - the policy isn't exactly spelled out clearly.  I even downloaded the *big* policy document, and while of course I didn't read the whole thing (hundreds of pages) I did read the section about permitted uses and got no hint about anything like this.


> Yes. Plus pretty much every cert I've requested from StartCom has
> prompted one of their support people to email requesting additional
> identifying information.

That's a bummer.  It's supposed to be random about 1 in 20.  Which coincides with my experience.  However I'm pretty sure there's another factor happening - because my friend whose name is "Ohiomoba" gets constantly screened too.

> > It looks like the main value they're talking about in that article is
> > the ACME automated process for identity validation (... and automated
> > installation).  I wonder if existing CA's like startssl would be
> > unable to easily adopt a new automated process like that, because of
> > the fact that they're a CA they must stick to their existing
> > documented processes.
> 
> I would assume that if StartCom sees this new effort as adhering to the
> same philosophy that led them to offer free certs themselves, that
> they'd adopt the protocol to make their service equally easy to use.

I contacted startssl support and asked them if they could offer an automated process like what Let's Encrypt is going to offer, and also asked if they are bound to the existing process by virtue of the fact that they're a CA.  They didn't give me a clear answer on the first part - I expect they'll respond by either doing it or issuing a statement describing why not.  But they did confirm they're able to change their own policies when they want to, so there isn't an obstacle to adopting an automated process, if they think it's something they want to pursue.


> What's less clear is whether StartCom will be motivated enough to invest
> in the work needed to adopt the new protocol. I don't get the impression
> that they've invested much in their infrastructure lately. Their site
> seems hardly changed in many years.

I take the unchanging website as a sign of simply they're a CA.   ;-)  Every CA I know of has a crappy website that hardly ever changes (or hardly ever changes for the better.)


> Having Mozilla in their corner already gets them a big chunk of the
> market. With Google's initiative to get HTTPS used everywhere, it seems
> likely they would get on board with Chrome. I don't think Microsoft or
> Apple would have any strong reason to reject this idea.

Oh - This is something I know and I forget other people don't.  So I apologize for not making it more clear before.

Look at the list of CA's on Mozilla's list, and look at their process for accepting CA's (and read that link about Honest Achmed, which is hilarious https://bugzilla.mozilla.org/show_bug.cgi?id=647959 )

Look at Apple's list and process.  Look at Microsoft.  Google...

Mozilla and Apple are basically the sluts of CA's.  They take any damn thing from anybody.  

It's scary when Microsoft is the gold standard that others should strive to achieve.  They have at least a reasonably restrictive process, and a reasonably restrictive list of CA's.

Google doesn't maintain a list.  They rely on the underlying OS.  Linux also doesn't maintain one - but obviously somebody who's got a package in every standard linux distribution *does* maintain a list.  I didn't look into who it is or anything.  I'm guessing it's distribution-specific.  Probably Red Hat and Debian actually maintain their own separate lists (just a guess).



More information about the Discuss mailing list