On Fri, 07 Jan 2011 11:11:55 -0000, Glenn Maynard <gl...@zewt.org> wrote:
I gave it a try earlier, since it was mentioned. It created my account, rejected my CSR, and I got a message saying that I somehow failed to create a login certificate, that I'd no longer be able to log in, and according to the FAQ the only way to continue would be to create a whole new account on a different email address and to ask them to manually merge the accounts. That's broken in countless ways; no CA should have such a brittle, half-baked account system.
StartSSL uses client certificates to log in, which theoretically is a great idea, as account access (thus security of all its certificates) relies on strong cryptography, rather than some custom password-based mechanism.
In practice it's not so great, but maybe it's not StartSSL's fault, but due to complexity of certificates, inflexibility of <keygen> and very rough implementations of it.
-- regards, Kornel Lesiński
