Am 28. September 2016 10:25:42 MESZ, schrieb li...@lazygranch.com: >I don't want take this thread off course, but suggestions for low cost >certs would be appreciated. I don't like how Let's Encrypt works, else >that would be the obvious solution. I get mine through https://www.ssls.com
>Domain registration isn't free. Server time isn't free. Something like >$20 a year would be fine. I already have a self signed cert for email, >but would like to eventually encrypt my websites and attempt >dnssec/dane. > >When Symantec first announced that they would compete with Let's >Encrypt, I signed up with them. But it looks like their free cert >program is more like you need to recruit customers for them. > > > Original Message >From: Sven Schwedas >Sent: Wednesday, September 28, 2016 1:10 AM >To: postfix-users@postfix.org >Subject: Re: WoSign/StartCom CA in the news > >On 2016-09-28 00:31, Giovanni Harting wrote: >> Correct me if I'm wrong, but that document you describe issues by >> Mozilla and others, doesn't it state that it would only affect new >> issues certs after a certain date? > >Yes, but most StartSSL/WoSign certificates are only valid for a year or >less. So customers should start looking for alternative providers >*now*, >because a year-long block will affect almost all of them. > >> Am 09/28/16 um 00:29 schrieb Viktor Dukhovni: >>> WoSign (who seemingly purchased StartCom) seem to have run into >>> some compliance issues as reported by Firefox: >>> >>> >>> >http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/ >>> >>> >>> Many SMTP servers are using certs from StartCom. In my DANE >>> adoption survey, out of 2201 certificates used by DANE MX >>> hosts 411 are issued by StartCom and 47 by WoSign. So that's >>> just over 20% of observed certificates. While the rate is >>> likely different for the larger SMTP ecosystem (DANE users >>> are bleeding edge, not representative at this time), I expect >>> that these CAs are still quite popular overall. >>> >>> If you're using StartCom/WoSign certs, and rely on them being >>> verified by MUAs and/or peer MTAs. you may want to make >>> contingency plans if Mozilla and perhaps others go through >>> with delisting (or disabling) the related root CAs from >>> their trusted CA bundles. >>> >>