From owner-freebsd-ports@FreeBSD.ORG Sat Jun 2 21:08:11 2012 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C58D8106564A for ; Sat, 2 Jun 2012 21:08:11 +0000 (UTC) (envelope-from david@wood2.org.uk) Received: from outbound-queue-2.mail.thdo.gradwell.net (outbound-queue-2.mail.thdo.gradwell.net [212.11.70.35]) by mx1.freebsd.org (Postfix) with ESMTP id 8000D8FC14 for ; Sat, 2 Jun 2012 21:08:11 +0000 (UTC) Received: from outbound-edge-1.mail.thdo.gradwell.net (bonnie.gradwell.net [212.11.70.2]) by outbound-queue-2.mail.thdo.gradwell.net (Postfix) with ESMTP id 4E53A22731 for ; Sat, 2 Jun 2012 22:07:17 +0100 (BST) Received: from argon.wood2.org.uk (HELO argon.wood2.org.uk) (82.71.104.124) (smtp-auth username wood, mechanism cram-md5) by outbound-edge-1.mail.thdo.gradwell.net (qpsmtpd/0.83) with ESMTPA; Sat, 02 Jun 2012 22:07:17 +0100 Message-ID: Date: Sat, 2 Jun 2012 21:40:16 +0100 To: freebsd-ports@freebsd.org From: David Wood References: <20120602122658.0f86debc@scorpio> <20120602140703.004264ea@scorpio> In-Reply-To: <20120602140703.004264ea@scorpio> MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1;format=flowed Content-Transfer-Encoding: quoted-printable User-Agent: Turnpike/6.06-M () X-Gradwell-MongoId: 4fca8085.4471-4441-1 X-Gradwell-Auth-Method: smtpauth X-Gradwell-Auth-Credentials: wood Subject: Re: Please rebuild all ports that depend on PNG X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jun 2012 21:08:11 -0000 Dear all, In message <20120602140703.004264ea@scorpio>, Jerry=20 writes >IMHO, if you are going to use "https" then you should have a proper SSL=20 >certificate. A self-signed one means virtually nothing. If the web site=20 >operator is not going to purchase an authentic certificate they why use=20 >SSL at all? Just my 2=A2 on the matter. I'm in agreement with Jerry - unless you're going to use a PKI=20 certificate, there's really no point in using SSL. With the default=20 security settings in Firefox, using a web site whose certificate does=20 not chain to a trusted root involves jumping through several hoops. This=20 reflects that SSL is about more than end-to-end encryption. StartSSL - https://www.startssl.com - offers DV certificates with 1 year=20 validity free of charge so long as you supply some basic identity=20 details and have the necessary control over the domain in which you want=20 a server certificate issued. These are not trial certificates and don't=20 involve a load of marketing - it is regular product for StartSSL with a=20 zero price tag. For a relatively small fee, which pays for the cost of some basic=20 identity checking, you can issue as many IV certificates with 2 year=20 validity as you want for a 350 day period on domains and e-mail=20 addresses that you control. This option allows multiple DNS names in one=20 server certificate, wildcard server certificates and code signing=20 certificates (albeit encumbered with an OID that means the signatures on=20 Microsoft operating systems expire at the same time as the certificate,=20 even if the signature is timestamped). The StartSSL root is in most major root bundles. I have no connection with StartSSL, StartCom or Eddy Nigg other than as=20 a satisfied customer. Of course, as Kevin Oberman notes, the public PKI is not perfect. A DV=20 (Domain Validated) certificate merely says that at one moment in time,=20 you had access to a 'privileged' e-mail address (postmaster@, webmaster@=20 or hostmaster@) - nothing more. Still, as it costs nothing to get a=20 certificate chained to a trusted root with about five minutes' of=20 effort, I see no reason not to do so. At this price, it is affordable to=20 use 'real' certificates for test sites on throw-away subdomains. With best wishes to you all, David --=20 David Wood david@wood2.org.uk