[Tracker-discuss] [issue527] HTTPS / SSL / Secure access
Martin v. Löwis added the comment: I have now installed a CACert certificate, so https is available for bugs.python.org ___ PSF Meta Tracker metatrac...@psf.upfronthosting.co.za http://psf.upfronthosting.co.za/roundup/meta/issue527 ___ ___ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss
[Tracker-discuss] [issue527] HTTPS / SSL / Secure access
Myroslav Opyr added the comment: Hi, StartSSL used to offer Free SSL certificates for years already. The problems (issues to remember) with their certificates are: 1. Revocation is not free, thus it's better to keep key safe. 2. They can refuse to issue free certificate if they consider the certificate they are expected to issue to be used to protect financial transactions (or other commercial stuff), i.e. restrictions apply. 3. Free SSL certificate will contain an e-mail of person who requested the certificate 4. For Domain Control validation (mandatory check) one should have access to either of the e-mail addresses: postmas...@python.org, webmas...@python.org, hostmas...@python.org as they send e-mail with validation code to one of them. 5. Certificate is valid for 1 year only, and have to be reissued (no renewal, but reissuing, with same process like original one) not sooner then 14 days before previous expires. This can be inconvenient in case of some vacation schedules clash. 6. Account at StartSSL is protected with client SSL certificate, that should be taken care of the person requesting the Free SSL certificate, i.e. there is no standard login/password to share between PC/laptop, but client SSL certificate to export/backup/restore/import. One should not forget about that personal certificate renewal as well. Some of the items above become less inconvenient with their paid tiers, but we're talking about free SSL certificates. Regards, m. On Mon, Sep 30, 2013 at 10:36 AM, Martin v. Löwis metatrac...@psf.upfronthosting.co.za wrote: Martin v. Löwis added the comment: What is FreeSSL, and how do I get them to issue a free certificate? -- nosy: +loewis status: unread - chatting ___ PSF Meta Tracker metatrac...@psf.upfronthosting.co.za http://psf.upfronthosting.co.za/roundup/meta/issue527 ___ ___ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss -- nosy: +myroslav ___ PSF Meta Tracker metatrac...@psf.upfronthosting.co.za http://psf.upfronthosting.co.za/roundup/meta/issue527 ___ ___ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss
[Tracker-discuss] [issue527] HTTPS / SSL / Secure access
Martin v. Löwis added the comment: techtonik specifically asked for FreeSSL, so I still wonder what that is. I'm familiar with StartSSL, and the PSF infrastructure group indeed does have access to such certificates. The problem with the StartSSL certificate is that it has python.org as a subject alternative name, which is undesired due to the threat that arises from it if somebody breaks into bugs.python.org. ___ PSF Meta Tracker metatrac...@psf.upfronthosting.co.za http://psf.upfronthosting.co.za/roundup/meta/issue527 ___ ___ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss
[Tracker-discuss] [issue527] HTTPS / SSL / Secure access
Myroslav Opyr added the comment: Ah indeed, that Alternative name thing. Yes, this is not desirable side effect. It would be worth mentioning to StartSSL people as they are quite security savvy and such escalation of privileges should not be a side-effect of their free certificates. On Mon, Sep 30, 2013 at 3:53 PM, Martin v. Löwis metatrac...@psf.upfronthosting.co.za wrote: Martin v. Löwis added the comment: techtonik specifically asked for FreeSSL, so I still wonder what that is. I'm familiar with StartSSL, and the PSF infrastructure group indeed does have access to such certificates. The problem with the StartSSL certificate is that it has python.org as a subject alternative name, which is undesired due to the threat that arises from it if somebody breaks into bugs.python.org. ___ PSF Meta Tracker metatrac...@psf.upfronthosting.co.za http://psf.upfronthosting.co.za/roundup/meta/issue527 ___ ___ PSF Meta Tracker metatrac...@psf.upfronthosting.co.za http://psf.upfronthosting.co.za/roundup/meta/issue527 ___ ___ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss
[Tracker-discuss] [issue527] HTTPS / SSL / Secure access
New submission from anatoly techtonik: Now that FreeSSL provides accessible certificates, it is no longer a stumbling block to implement secure access to bugs.python.org What else needs to be done to make https://bugs.python.org working? -- messages: 2784 nosy: techtonik priority: critical status: unread title: HTTPS / SSL / Secure access ___ PSF Meta Tracker metatrac...@psf.upfronthosting.co.za http://psf.upfronthosting.co.za/roundup/meta/issue527 ___ ___ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss