Thanks for that detailed and interesting reply, Jonathan. On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind <jonat...@dnil.net> wrote:
> Just to clarify, by "Commercial certificates offer stronger proof of > identity", you mean an "Extended Validation" (EV) certificate. > https://en.wikipedia.org/wiki/Extended_Validation_Certificate > > If you are getting a 'commercial certificate' that is a standard 'domain > validated' cert instead of an EV cert, you are not getting any stronger > proof of identity than you would from letsencrypt. > > The cert used at https://www.ubalt.edu does NOT appear to be an EV cert, > but an ordinary domain validated one. (Additionally, that particular web > page serves http: images , triggering browser mixed content warnings!). > > Same thing for the cert at https://langsdale.ubalt.edu/. > > Looking at another Maryland public university: https://umd.edu/ appears > similar. NOT an EV cert, and additionally serving http assets triggering a > mixed content warning. > > I'm actually having trouble finding an academic institution, or even a > standard ecommerce site, that DOES use an EV cert. > > You can tell it's an EV cert when chrome or Firefox put the name of the > organization in the location bar to the left of URL. Additionally, in > Firefox, if you click that name, then click the right-chevron 'more info' > icon, then click "More information", under "Website Identity" it will list > an "Owner:" for an EV cert. For an ordinary domain-validated cert, it will > list "This website does not supply ownership information" instead. > > Here's an example of an EV cert, the cert on digicert.com, a seller of > certs: > > https://www.digicert.com/ > > If your cert is not EV but is just "domain validated", then despite it > being "commercial" it supplies the same level of proof of identity as a > letsencrypt cert -- proof of control of the domain at the time the cert was > issued, either way. > > > > On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon <listu...@chillco.com> wrote: > > > We are starting to roll out LetsEncrypt for all of our services and > > clients who do not use or want commercial certificates. > > > > Note that LetsEncrypt offers only domain authentication, in most cases > > specifically validated by your control of the server. Commercial > > certificates offer stronger proof of identity. > > > > We recommend commercial certificates for any sites that conduct financial > > transactions or require HIPPA compliance. > > > > Thanks, > > > > Cary > > > > Cary Gordon > > The Cherry Hill Company > > http://chillco.com > > > > > > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing List) < > > lit...@lists.ala.org> wrote: > > > > > > Apologies for cross-posting... > > > > > > Anyone out there working at a public institution that's using Let's > > Encrypt for security certificates? I just suggested to our campus IT > that > > we switch to using Let's Encrypt. They told me it would need to clear > > State of Maryland approval process first, and suggested that it would be > > helpful to be able to point to other public institutions that are using > it. > > > > > > Regards, > > > Kyle Breneman > > > Integrated Digital Services Librarian > > > University of Baltimore > > > > > > To maximize your use of LITA-L or to unsubscribe, see > > http://www.ala.org/lita/involve/email > > >