[dev] [en] SSL certificate: which one ?
Goffi
goffi at goffi.org
Mar 25 Mar 18:37:15 CET 2014
OK, I have emitted a class I certificate (6 months validity) from CAcert.
libervia.org is updated with https support, and prosody now use the CAcert
certificate. I have also updated lua-sec. We now have two A on xmpp.net
security test (was F before):
- https://xmpp.net/result.php?domain=libervia.org&type=client
- https://xmpp.net/result.php?domain=libervia.org&type=server
I guess we'll need to document how CAcert works, why we choosed it, how to
install root certificates, why there is a warning, etc.
Le mardi 25 mars 2014, 13:42:53 Adrien a écrit :
> I would go for CACert. The warning is the browser is not a big deal IMHO.
>
> On 03/25/2014 01:13 PM, Goffi wrote:
> > Some intersting talks (in french):
> >
> >
> > - https://linuxfr.org/aide#aide-autrecertificatssl
> >
> > -
> > https://linuxfr.org/users/dinomasque/journaux/auto-hebergement-et-securis
> > ation-des-acces-via-https
> >
> > - https://linuxfr.org/news/%C3%A9volutions-sur-linuxfr--3#comment-928531
> >
> > CAcert is clairly more in the spirit of SàT, but it's not included in
> > browsers and will not be anytime soon. So let me know what you think...
> >
> > Le mardi 25 mars 2014, 12:30:09 Goffi a écrit :
> >> I forget to say, StartSSL certificates are also accepted in xmpp.net
> >> security tests.
> >>
> >> In my opinion, we should use a Class I startSSL certitficate for the
> >> moment, and think more deeply about it when we will have an official
> >> association/cooperative status.
> >>
> >> The big advantage in comparaison of CAcert is that there are no browser
> >> warning.
> >>
> >> Here are the policies of startcom: https://startssl.com/policy.pdf, it's
> >> pretty long (50 pages) so please double check that it's OK...
> >>
> >> Le mardi 25 mars 2014, 12:08:24 Goffi a écrit :
> >>> G'day,
> >>>
> >>> as Souliane as implemented https support in Libervia, we now need a
> >>> certificate for libervia.org serveur/Libervia instance. I'd like your
> >>> advices for the following options:
> >>>
> >>> - self-signed certificate:
> >>> PROS:
> >>> * free
> >>> * easy and quick to do
> >>>
> >>> CONS:
> >>> * can't do authentification
> >>> * warning in browsers
> >>> * not accepted in xmpp.net security test
> >>>
> >>> - CAcert (https://www.cacert.org/):
> >>> PROS:
> >>> * free
> >>> * based on community, not commercial, more on less in the spirit
of
> >>>
> >>> SàT
> >>>
> >>> * accepted in xmpp.net security test
> >>>
> >>> CONS:
> >>> * warning in browsers
> >>> * recently removed from Debian and Ubuntu, its seems that there
are
> >>>
> >>> some security concerns according to the bugs comments
> >>> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434)
> >>>
> >>> - StartSSL (https://startssl.com/):
> >>> PROS:
> >>> * free for Class 1
> >>> * no warning in browsers
> >>>
> >>> CONS:
> >>> * Non commercial use (SàT is not commercial, but as we are
planing
> >>>
> >>> to create a cooperative and to have salaries, we must check the terms of
> >>> use) * only one domain and one subdomain
> >>>
> >>> * free certificate is 1 year only (but it can be renewed)
> >>>
> >>> OK, so what's you opinion ? Do you have any other option ? It's possible
> >>> to
> >>> have a self-signed certificate first, and change later.
> >>>
> >>> Cheers
> >>> Goffi
> >>>
> >>> _______________________________________________
> >>> dev mailing list
> >>> dev at goffi.org
> >>> http://lists.goffi.org/listinfo/dev
> >>
> >> _______________________________________________
> >> dev mailing list
> >> dev at goffi.org
> >> http://lists.goffi.org/listinfo/dev
> >
> > _______________________________________________
> > dev mailing list
> > dev at goffi.org
> > http://lists.goffi.org/listinfo/dev
>
> _______________________________________________
> dev mailing list
> dev at goffi.org
> http://lists.goffi.org/listinfo/dev
Plus d'informations sur la liste de diffusion dev