On 4 November 2013, Ross Singer wrote:
> While I'm not opposed to providing code4lib.org via HTTPS, I don't think
> it's as simple as "let's just do it!". Who will be responsible for making
> sure the cert is up to date?
I will for a while! I'll make some entries in my calendar.
> Who will pay for certs (if we don't go with startcom)?
Good question. There was a small working group formed a little while ago
that was looking at a formal Code4Lib organization ... did anything come
of that? Cary Gordon kicked it off, I think. If there was a formal
arrangement then that would be the right place to manage the costs of an
SSL cert.
But there is no formal arrangement yet, so we could rustle it up amongst
ourselves (I'll chip in) or we could make it part of the annual conference
costs ($100ish isn't an onerous burden).
We don't have to get it working forever right now. We just need to get it
working. Then we can worry about it next year.
I've forgotten who at Oregon State is tending the server ... whoever it
is, can you email me?
By the way, if anyone out there has been thinking about privacy
post-Snowden and has some ideas about what libraries and archives can do
about it, this would be a good subject for a talk at the conference next
year [0] ...
> Also, forcing all traffic to HTTPS unnecessarily complicates some things,
> e.g. screen scrapers (and before you say, "well, screen scraping sucks,
> anyway!", I think it's not a stretch to say that "microdata parser" falls
> under "screen scraping". Or RDFa.).
Fair enough, but even if not mandatory or preferred, HTTPS should be
available everywhere HTTP is used, and that's something we can work
towards. People log in to code4lib.org and wiki.code4lib.org by sending
their passwords in the clear! That is uncool.
(Question: Why does HTTPS complicate screen-scraping? Every decent tool
and library supports HTTPS, doesn't it?)
Bill
[0] http://wiki.code4lib.org/index.php/2014_Prepared_Talk_Proposals
--
William Denton
Toronto, Canada
http://www.miskatonic.org/
|