[dev] [en] SSL certificate: which one ?

Goffi goffi at goffi.org
Mar 25 Mar 18:37:15 CET 2014 

OK, I have emitted a class I certificate (6 months validity) from CAcert.

libervia.org is updated with https support, and prosody now use the CAcert 
certificate. I have also updated lua-sec. We now have two A on xmpp.net 
security test (was F before):
	- https://xmpp.net/result.php?domain=libervia.org&type=client
	- https://xmpp.net/result.php?domain=libervia.org&type=server

I guess we'll need to document how CAcert works, why we choosed it, how to 
install root certificates, why there is a warning, etc.

Le mardi 25 mars 2014, 13:42:53 Adrien a écrit :
> I would go for CACert. The warning is the browser is not a big deal IMHO.
> 
> On 03/25/2014 01:13 PM, Goffi wrote:
> > Some intersting talks (in french):
> > 
> > 
> > - https://linuxfr.org/aide#aide-autrecertificatssl
> > 
> > -
> > https://linuxfr.org/users/dinomasque/journaux/auto-hebergement-et-securis
> > ation-des-acces-via-https
> > 
> > - https://linuxfr.org/news/%C3%A9volutions-sur-linuxfr--3#comment-928531
> > 
> > CAcert is clairly more in the spirit of SàT, but it's not included in
> > browsers and will not be anytime soon. So let me know what you think...
> > 
> > Le mardi 25 mars 2014, 12:30:09 Goffi a écrit :
> >> I forget to say, StartSSL certificates are also accepted in xmpp.net
> >> security tests.
> >> 
> >> In my opinion, we should use a Class I startSSL certitficate for the
> >> moment, and think more deeply about it when we will have an official
> >> association/cooperative status.
> >> 
> >> The big advantage in comparaison of CAcert is that there are no browser
> >> warning.
> >> 
> >> Here are the policies of startcom: https://startssl.com/policy.pdf, it's
> >> pretty long (50 pages) so please double check that it's OK...
> >> 
> >> Le mardi 25 mars 2014, 12:08:24 Goffi a écrit :
> >>> G'day,
> >>> 
> >>> as Souliane as implemented https support in Libervia, we now need a
> >>> certificate for libervia.org serveur/Libervia instance. I'd like your
> >>> advices for the following options:
> >>> 
> >>> - self-signed certificate:
> >>> 	PROS:
> >>> 		* free
> >>> 		* easy and quick to do
> >>> 	
> >>> 	CONS:
> >>> 		* can't do authentification
> >>> 		* warning in browsers
> >>> 		* not accepted in xmpp.net security test
> >>> 
> >>> - CAcert (https://www.cacert.org/):
> >>> 	PROS:
> >>> 		* free
> >>> 		* based on community, not commercial, more on less in the spirit 
of
> >>> 
> >>> SàT
> >>> 
> >>> 		* accepted in xmpp.net security test
> >>> 	
> >>> 	CONS:
> >>> 		* warning in browsers
> >>> 		* recently removed from Debian and Ubuntu, its seems that there 
are
> >>> 
> >>> some security concerns according to the bugs comments
> >>> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434)
> >>> 
> >>> - StartSSL (https://startssl.com/):
> >>> 	PROS:
> >>> 		* free for Class 1
> >>> 		* no warning in browsers
> >>> 	
> >>> 	CONS:
> >>> 		* Non commercial use (SàT is not commercial, but as we are 
planing
> >>> 
> >>> to create a cooperative and to have salaries, we must check the terms of
> >>> use) * only one domain and one subdomain
> >>> 
> >>> 		* free certificate is 1 year only (but it can be renewed)
> >>> 
> >>> OK, so what's you opinion ? Do you have any other option ? It's possible
> >>> to
> >>> have a self-signed certificate first, and change later.
> >>> 
> >>> Cheers
> >>> Goffi
> >>> 
> >>> _______________________________________________
> >>> dev mailing list
> >>> dev at goffi.org
> >>> http://lists.goffi.org/listinfo/dev
> >> 
> >> _______________________________________________
> >> dev mailing list
> >> dev at goffi.org
> >> http://lists.goffi.org/listinfo/dev
> > 
> > _______________________________________________
> > dev mailing list
> > dev at goffi.org
> > http://lists.goffi.org/listinfo/dev
> 
> _______________________________________________
> dev mailing list
> dev at goffi.org
> http://lists.goffi.org/listinfo/dev

Plus d'informations sur la liste de diffusion dev