[HCoop-Discuss] TLS Perfect Forward Secrecy etc.

Sajith T S sajith at hcoop.net
Fri Apr 18 10:17:28 EDT 2014


Clinton Ebadi <clinton at unknownlamer.org> wrote:

> A short-term solution, at least for signing up new members, would be to
> accept Gandi's offer of a free one year certification, and move the join
> scripts to hcoop.net/join instead of join.hcoop.net. This would at least
> improve the initial impression of hcoop, and costs us nothing. Thoughts?
> I am inclined to just grab the certificate when I renew hcoop.net (I
> think since it doesn't involve money, this falls under authority
> delegated to sysadmin volunteers).

Taking up Gandi's offer actually sounds like a good idea to me.  I am
also inclined to trust Gandi more than StartSSL, but I must also admit
the complete lack of objectivity in my trust.

> If we go with StartSSL, we have to appoint a certmaster who has their
> identity verified ($60/year), and also verify the organization yearly
> (another $60). At that price, it *might* be worth spending $160/year for
> a Gandi wildcard cert, although there are some security advantages to
> issuing separate certifications per subdomain and the StartSSL option
> provides identity information. I am not sure we are actually permitted
> to use a wildcard cert either, since we offer subdomains to members
> freely. Perhaps as long as the cert doesn't include identity
> information? I think a wiki page for discussion is in order (hint hint,
> nudge nudge).

About attaching identity to the cert, I'm not sure it's worth all the
money and trouble.  Not seeing a big honking warning from the browser
would be good enough. :)  And if it's cheaper, certs for just the more
critical subdomains (members, mail) would be good enough too.

Btw, I started a wiki page.

http://wiki.hcoop.net/HeartBleedAfterMath

It's not even sketchy, and I am sorry about the page URL: turns out I
can't rename it or just start a new properly titled page without
leaving a dangling one behind.  I would be happy if someone could fix
that.

Also, the wiki encountered an internal server error when I requested a
password reset.  It emailed me a reset token anyway, but another
internal server error happened when I created a new password.  And
then it let me use the new password.  What's up with that?


-- 
"the lyf so short, the craft so long to lerne."
                 -- Chaucer.




More information about the HCoop-Discuss mailing list