Thanks for that detailed and interesting reply, Jonathan.
On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind <[log in to unmask]>
wrote:
> Just to clarify, by "Commercial certificates offer stronger proof of
> identity", you mean an "Extended Validation" (EV) certificate.
> https://en.wikipedia.org/wiki/Extended_Validation_Certificate
>
> If you are getting a 'commercial certificate' that is a standard 'domain
> validated' cert instead of an EV cert, you are not getting any stronger
> proof of identity than you would from letsencrypt.
>
> The cert used at https://www.ubalt.edu does NOT appear to be an EV cert,
> but an ordinary domain validated one. (Additionally, that particular web
> page serves http: images , triggering browser mixed content warnings!).
>
> Same thing for the cert at https://langsdale.ubalt.edu/.
>
> Looking at another Maryland public university: https://umd.edu/ appears
> similar. NOT an EV cert, and additionally serving http assets triggering a
> mixed content warning.
>
> I'm actually having trouble finding an academic institution, or even a
> standard ecommerce site, that DOES use an EV cert.
>
> You can tell it's an EV cert when chrome or Firefox put the name of the
> organization in the location bar to the left of URL. Additionally, in
> Firefox, if you click that name, then click the right-chevron 'more info'
> icon, then click "More information", under "Website Identity" it will list
> an "Owner:" for an EV cert. For an ordinary domain-validated cert, it will
> list "This website does not supply ownership information" instead.
>
> Here's an example of an EV cert, the cert on digicert.com, a seller of
> certs:
>
> https://www.digicert.com/
>
> If your cert is not EV but is just "domain validated", then despite it
> being "commercial" it supplies the same level of proof of identity as a
> letsencrypt cert -- proof of control of the domain at the time the cert was
> issued, either way.
>
>
>
> On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon <[log in to unmask]> wrote:
>
> > We are starting to roll out LetsEncrypt for all of our services and
> > clients who do not use or want commercial certificates.
> >
> > Note that LetsEncrypt offers only domain authentication, in most cases
> > specifically validated by your control of the server. Commercial
> > certificates offer stronger proof of identity.
> >
> > We recommend commercial certificates for any sites that conduct financial
> > transactions or require HIPPA compliance.
> >
> > Thanks,
> >
> > Cary
> >
> > Cary Gordon
> > The Cherry Hill Company
> > http://chillco.com
> >
> >
> > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing List) <
> > [log in to unmask]> wrote:
> > >
> > > Apologies for cross-posting...
> > >
> > > Anyone out there working at a public institution that's using Let's
> > Encrypt for security certificates? I just suggested to our campus IT
> that
> > we switch to using Let's Encrypt. They told me it would need to clear
> > State of Maryland approval process first, and suggested that it would be
> > helpful to be able to point to other public institutions that are using
> it.
> > >
> > > Regards,
> > > Kyle Breneman
> > > Integrated Digital Services Librarian
> > > University of Baltimore
> > >
> > > To maximize your use of LITA-L or to unsubscribe, see
> > http://www.ala.org/lita/involve/email
> >
>
|