Please rebuild all ports that depend on PNG

David Wood david at wood2.org.uk
Sat Jun 2 21:08:11 UTC 2012 

Dear all,

In message <20120602140703.004264ea at scorpio>, Jerry 
<jerry at seibercom.net> writes
>IMHO, if you are going to use "https" then you should have a proper SSL 
>certificate. A self-signed one means virtually nothing. If the web site 
>operator is not going to purchase an authentic certificate they why use 
>SSL at all? Just my 2¢ on the matter.

I'm in agreement with Jerry - unless you're going to use a PKI 
certificate, there's really no point in using SSL. With the default 
security settings in Firefox, using a web site whose certificate does 
not chain to a trusted root involves jumping through several hoops. This 
reflects that SSL is about more than end-to-end encryption.


StartSSL - https://www.startssl.com - offers DV certificates with 1 year 
validity free of charge so long as you supply some basic identity 
details and have the necessary control over the domain in which you want 
a server certificate issued. These are not trial certificates and don't 
involve a load of marketing - it is regular product for StartSSL with a 
zero price tag.

For a relatively small fee, which pays for the cost of some basic 
identity checking, you can issue as many IV certificates with 2 year 
validity as you want for a 350 day period on domains and e-mail 
addresses that you control. This option allows multiple DNS names in one 
server certificate, wildcard server certificates and code signing 
certificates (albeit encumbered with an OID that means the signatures on 
Microsoft operating systems expire at the same time as the certificate, 
even if the signature is timestamped).


The StartSSL root is in most major root bundles.


I have no connection with StartSSL, StartCom or Eddy Nigg other than as 
a satisfied customer.


Of course, as Kevin Oberman notes, the public PKI is not perfect. A DV 
(Domain Validated) certificate merely says that at one moment in time, 
you had access to a 'privileged' e-mail address (postmaster@, webmaster@ 
or hostmaster@) - nothing more. Still, as it costs nothing to get a 
certificate chained to a trusted root with about five minutes' of 
effort, I see no reason not to do so. At this price, it is affordable to 
use 'real' certificates for test sites on throw-away subdomains.




With best wishes to you all,




David
-- 
David Wood
david at wood2.org.uk

More information about the freebsd-ports mailing list