<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 1/30/2017 4:04 PM, Lightner, Jeffrey wrote:<br>
<blockquote
cite="mid:DM2PR07MB35070FE1464718C4E980FC1C14B0@DM2PR07MB350.namprd07.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">+1
<br>
We started using Digicert instead of Verisign a few years
back and other than the need to install new root
certificates on some of our stuff that didn’t know about
Digicert early on we haven’t had any issues.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a class="moz-txt-link-abbreviated" href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a> [<a class="moz-txt-link-freetext" href="mailto:ale-bounces@ale.org">mailto:ale-bounces@ale.org</a>]
<b>On Behalf Of </b>James Sumners<br>
<b>Sent:</b> Monday, January 30, 2017 3:41 PM<br>
<b>To:</b> Atlanta Linux Enthusiasts<br>
<b>Subject:</b> Re: [ale] Oct News: StartCom, WoSign
distrusted by Mozilla, Google, Apple<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">We use DigiCert at work and haven't ever
had any issues. I actually really like their support and
information they have in their help section.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Personally, I use <a
moz-do-not-send="true" href="http://letsencrypt.org">letsencrypt.org</a>.
The official client is awful, but this one is great -- <a
moz-do-not-send="true"
href="https://github.com/hlandau/acme">https://github.com/hlandau/acme</a><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Jan 30, 2017 at 3:08 PM, Brian
W. Neu <<a moz-do-not-send="true"
href="mailto:ale@advancedopen.com" target="_blank">ale@advancedopen.com</a>>
wrote:<o:p></o:p></p>
<p class="MsoNormal">Randomly logged into my StartCom
account today to see all kinds of red text about free
verifications and expirations and workarounds.<br>
<br>
Through a little reading, it's clear that the Mozilla
Foundation and Google have both announced that they are
distrusting the StartCom and WoSign CA's due to deceptive
practices unbecoming of a certificate authority. The
short story is that WoSign, a Chinese company claiming 70%
of the certificate market in China, was allowing for the
backdating of new SHA1 signings to avoid some kind of
sunset imposed by Microsoft and others. WoSign also
acquired StartCom in 2015, and purposely hid this from the
public, even denied it to the Mozilla Foundation until
irrefutable evidence surfaced.<br>
<br>
Looks like StartCom is trying to mitigate damage by
spinning off as a separate entity, but what a disaster!
Any alternative CA's led by non-shady businessmen?
Comodo?<br>
<br>
<a moz-do-not-send="true"
href="https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/"
target="_blank">https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/</a>
<br>
<br>
<a moz-do-not-send="true"
href="https://en.wikipedia.org/wiki/StartCom"
target="_blank">https://en.wikipedia.org/wiki/StartCom</a><br>
<br>
<a moz-do-not-send="true"
href="https://www.thesslstore.com/blog/wosign-startcom-separated/"
target="_blank">https://www.thesslstore.com/blog/wosign-startcom-separated/</a><br>
<br>
<a moz-do-not-send="true"
href="https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html"
target="_blank">https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html</a><br>
</p>
</div>
</div>
</div>
</blockquote>
Yeah, I'd probably use DigiCert over Verisign if I had $299 for
each multi-SAN certificate I needed vs the $120/year I pay to
StartCom for unlimited multi-SAN certificates and I only need to pay
that every 2-3 years honestly if I don't need to issue any new
certificates between expirations. <br>
</body>
</html>