Just to clarify, by "Commercial certificates offer stronger proof of
identity", you mean an "Extended Validation" (EV) certificate.
https://en.wikipedia.org/wiki/Extended_Validation_Certificate
If you are getting a 'commercial certificate' that is a standard 'domain
validated' cert instead of an EV cert, you are not getting any stronger
proof of identity than you would from letsencrypt.
The cert used at https://www.ubalt.edu does NOT appear to be an EV cert,
but an ordinary domain validated one. (Additionally, that particular web
page serves http: images , triggering browser mixed content warnings!).
Same thing for the cert at https://langsdale.ubalt.edu/.
Looking at another Maryland public university: https://umd.edu/ appears
similar. NOT an EV cert, and additionally serving http assets triggering a
mixed content warning.
I'm actually having trouble finding an academic institution, or even a
standard ecommerce site, that DOES use an EV cert.
You can tell it's an EV cert when chrome or Firefox put the name of the
organization in the location bar to the left of URL. Additionally, in
Firefox, if you click that name, then click the right-chevron 'more info'
icon, then click "More information", under "Website Identity" it will list
an "Owner:" for an EV cert. For an ordinary domain-validated cert, it will
list "This website does not supply ownership information" instead.
Here's an example of an EV cert, the cert on digicert.com, a seller of
certs:
https://www.digicert.com/
If your cert is not EV but is just "domain validated", then despite it
being "commercial" it supplies the same level of proof of identity as a
letsencrypt cert -- proof of control of the domain at the time the cert was
issued, either way.
On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon <[log in to unmask]> wrote:
> We are starting to roll out LetsEncrypt for all of our services and
> clients who do not use or want commercial certificates.
>
> Note that LetsEncrypt offers only domain authentication, in most cases
> specifically validated by your control of the server. Commercial
> certificates offer stronger proof of identity.
>
> We recommend commercial certificates for any sites that conduct financial
> transactions or require HIPPA compliance.
>
> Thanks,
>
> Cary
>
> Cary Gordon
> The Cherry Hill Company
> http://chillco.com
>
>
> > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing List) <
> [log in to unmask]> wrote:
> >
> > Apologies for cross-posting...
> >
> > Anyone out there working at a public institution that's using Let's
> Encrypt for security certificates? I just suggested to our campus IT that
> we switch to using Let's Encrypt. They told me it would need to clear
> State of Maryland approval process first, and suggested that it would be
> helpful to be able to point to other public institutions that are using it.
> >
> > Regards,
> > Kyle Breneman
> > Integrated Digital Services Librarian
> > University of Baltimore
> >
> > To maximize your use of LITA-L or to unsubscribe, see
> http://www.ala.org/lita/involve/email
>
|