undefined | Better HN

0 pointsrblatz9y ago0 comments

That seems like an odd move, doubling down on the CA after news of them doing shady stuff? Why not take that opportunity to switch to something else like let's encrypt?

0 comments

justinclift9y ago

Really not sure why you'd think this is "doubling down"?

We've already gone through the StartCom verification process, but had only generated a few specific cert's for subdomains.

However, we're right now in the process of launching a new online project. No idea what subdomains will be needed in very near future.

It costs us no extra to generate wildcard ones, which obviously is the right move to do as they'll be valid while StartCom's new ones are no longer trusted (when Mozilla stops accepting new certs).

There's literally no way we could afford to pay for new certs from an alternative registrar instead.

tho9Ohx1eo9y ago

> There's literally no way we could afford to pay for new certs from an alternative registrar instead.

If ~$100 is that much for you (as a company of some sort) why don't you use Letsencrypt?

justinclift9y ago

Good point, that might be the better solution for the public HTTPS part of things.

Lets Encrypt doesn't provide MS Authenticode signing certs (eg to validate our downloads are legit) though. Hopefully this whole mess doesn't scope creep to include those too.

1 more reply

j / k navigate · click thread line to collapse

0 comments

justinclift9y ago

Really not sure why you'd think this is "doubling down"?

We've already gone through the StartCom verification process, but had only generated a few specific cert's for subdomains.

However, we're right now in the process of launching a new online project. No idea what subdomains will be needed in very near future.

It costs us no extra to generate wildcard ones, which obviously is the right move to do as they'll be valid while StartCom's new ones are no longer trusted (when Mozilla stops accepting new certs).

There's literally no way we could afford to pay for new certs from an alternative registrar instead.

tho9Ohx1eo9y ago

> There's literally no way we could afford to pay for new certs from an alternative registrar instead.

If ~$100 is that much for you (as a company of some sort) why don't you use Letsencrypt?

justinclift9y ago

Good point, that might be the better solution for the public HTTPS part of things.

Lets Encrypt doesn't provide MS Authenticode signing certs (eg to validate our downloads are legit) though. Hopefully this whole mess doesn't scope creep to include those too.

1 more reply

j / k navigate · click thread line to collapse