
If a government agency wanted to read the encrypted traffic to and from gutenberg.org, would an EV certificate be significantly harder to compromise than a cheap domain verified cert? As far as I know, there is no cryptographic difference between the two types of certs. The only difference is in the price and the steps you have to go through to prove your identity when acquiring the certificate. Yes, the address bar does turn green with the more expensive certs, but is that really meaningful to end users? Or, putting the question another way, how many users would be alarmed if they visited our "secure site" and their address bar didn't turn green? I suspect few to none, but that's just a guess. So, if there's no cryptographic difference between the two cert types, and if most users wouldn't notice anyway, why pay more? What am I missing? Aaron On 1/1/12, Marcello Perathoner <marcello@perathoner.de> wrote:
On 01/01/2012 07:22 PM, Alex Buie wrote:
On Sun, Jan 1, 2012 at 12:57 PM, Marcello Perathoner <marcello@perathoner.de> wrote:
Certificates are expensive. You have to get them and renew them. Maybe we could get a cheap one from a certification authority for academia.
I'm pretty sure we could get 18 people to pay $0.50 for a PositiveSSL cert ;-). http://www.namecheap.com/ssl-certificates/comodo/positivessl-certificate.asp...
The idea here is to protect people's reading choices from government eavesdropping. That's a different class of security than to prevent your internet cafe neighbour from seing what you download. In the latter case a self-signed certificate would suffice.
What we need is a worldwide recognized CA that does real checks, ie. paperwork, to determine the authenticity of the certificate request. Also, we need an EV certificate, eg. one that turns the browser bar green. EV certificates work for one subdomain only. So we'd need at least 2 of them.
EV certificates at Verisign start at $998 / year.
I'd appreciate if you stopped spamming the list with comments that only expose your personal naivete in real world security matters.
-- Marcello Perathoner webmaster@gutenberg.org _______________________________________________ gutvol-d mailing list gutvol-d@lists.pglaf.org http://lists.pglaf.org/mailman/listinfo/gutvol-d