Date: Sat, 2 Jun 2012 21:40:16 +0100 From: David Wood <david@wood2.org.uk> To: freebsd-ports@freebsd.org Subject: Re: Please rebuild all ports that depend on PNG Message-ID: <bpJG2ZGwonyPFAXz@wood2.org.uk> In-Reply-To: <20120602140703.004264ea@scorpio> References: <CAGFTUwMo51dWxM2p4STaqt-=NjzEuUH5U6nmbiuzVMtK6_W3dQ@mail.gmail.com> <20120602122658.0f86debc@scorpio> <CADLo8388dHiEZCxdXz9A=Ur5qPVzcfbxh43ZGgzfkbWk9r%2B%2BJg@mail.gmail.com> <20120602140703.004264ea@scorpio>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear all, In message <20120602140703.004264ea@scorpio>, Jerry=20 <jerry@seibercom.net> writes >IMHO, if you are going to use "https" then you should have a proper SSL=20 >certificate. A self-signed one means virtually nothing. If the web site=20 >operator is not going to purchase an authentic certificate they why use=20 >SSL at all? Just my 2=A2 on the matter. I'm in agreement with Jerry - unless you're going to use a PKI=20 certificate, there's really no point in using SSL. With the default=20 security settings in Firefox, using a web site whose certificate does=20 not chain to a trusted root involves jumping through several hoops. This=20 reflects that SSL is about more than end-to-end encryption. StartSSL - https://www.startssl.com - offers DV certificates with 1 year=20 validity free of charge so long as you supply some basic identity=20 details and have the necessary control over the domain in which you want=20 a server certificate issued. These are not trial certificates and don't=20 involve a load of marketing - it is regular product for StartSSL with a=20 zero price tag. For a relatively small fee, which pays for the cost of some basic=20 identity checking, you can issue as many IV certificates with 2 year=20 validity as you want for a 350 day period on domains and e-mail=20 addresses that you control. This option allows multiple DNS names in one=20 server certificate, wildcard server certificates and code signing=20 certificates (albeit encumbered with an OID that means the signatures on=20 Microsoft operating systems expire at the same time as the certificate,=20 even if the signature is timestamped). The StartSSL root is in most major root bundles. I have no connection with StartSSL, StartCom or Eddy Nigg other than as=20 a satisfied customer. Of course, as Kevin Oberman notes, the public PKI is not perfect. A DV=20 (Domain Validated) certificate merely says that at one moment in time,=20 you had access to a 'privileged' e-mail address (postmaster@, webmaster@=20 or hostmaster@) - nothing more. Still, as it costs nothing to get a=20 certificate chained to a trusted root with about five minutes' of=20 effort, I see no reason not to do so. At this price, it is affordable to=20 use 'real' certificates for test sites on throw-away subdomains. With best wishes to you all, David --=20 David Wood david@wood2.org.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bpJG2ZGwonyPFAXz>