A self-signed cert actually doesn't necessarily provide confidentiality as they do not protect against man in the middle attacks. Also, self-signed certs cause users to get those scary warnings. Considering the fact that an SSL cert can be had for less than $10, I don't think there's any good reason not to just get a CA signed cert. I'd even be willing to donate the cost of getting one. Here are the current prices from NameCheap.com, and there are almost certainly other providers as well: https://www.namecheap.com/ssl-certificates/comodo.aspx Aaron On 1/1/12, Lee Passey <lee@novomail.net> wrote:
On 1/1/2012 10:57 AM, Marcello Perathoner wrote:
On 01/01/2012 06:35 PM, Aaron Cannon wrote:
Hi all.
Just wondering if we've ever considered installing an SSL certificate on gutenberg.org? It occurs to me that someone might consider their downloads from the site and what they are reading to be confidential information, and not want it sent in the clear. I don't think that it would be necessary to go so far as to make it the default, but having the option available would be nice.
My first reaction to this was "what a silly idea! Why should anyone care if I'm downloading 100-year-old books?"
My second reaction was, "given the state of the world, this is probably a very good idea."
Would our web host, Ibiblio, have a problem with this?
Other thoughts?
SSL certificates serve three basic purposes: authentication of the certificate holder (at least to the extent of knowing that a certificate authority asserts that data in a certificate, including identity information and a public key, is valid), data integrity (if the private key is used to sign the data), and confidentiality (if the data channel is encrypted).
Certificates are expensive. You have to get them and renew them. Maybe we could get a cheap one from a certification authority for academia.
Why not use a self-signed certificate? Self-signed certificates provide no assurance that the data in the certificate (including the public key) is accurate, but they are still completely adequate to ensure confidentiality, and it seems to me that confidentiality is the goal PG would be trying to achieve. _______________________________________________ gutvol-d mailing list gutvol-d@lists.pglaf.org http://lists.pglaf.org/mailman/listinfo/gutvol-d