Here's a thread about per-TLD rate limits being a problem for universities;
it seems per a post at the end of that thread that letsencrypt might exempt
your institution from ratelimits, but an official agent of the university
needs to submit the request:
https://community.letsencrypt.org/t/rate-limiting-at-an-educational-institution/5910/24
On Mon, Jun 19, 2017 at 8:27 AM, Kyle Breneman <[log in to unmask]>
wrote:
> Thanks for that detailed and interesting reply, Jonathan.
>
> On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind <[log in to unmask]>
> wrote:
>
> > Just to clarify, by "Commercial certificates offer stronger proof of
> > identity", you mean an "Extended Validation" (EV) certificate.
> > https://en.wikipedia.org/wiki/Extended_Validation_Certificate
> >
> > If you are getting a 'commercial certificate' that is a standard 'domain
> > validated' cert instead of an EV cert, you are not getting any stronger
> > proof of identity than you would from letsencrypt.
> >
> > The cert used at https://www.ubalt.edu does NOT appear to be an EV cert,
> > but an ordinary domain validated one. (Additionally, that particular web
> > page serves http: images , triggering browser mixed content warnings!).
> >
> > Same thing for the cert at https://langsdale.ubalt.edu/.
> >
> > Looking at another Maryland public university: https://umd.edu/ appears
> > similar. NOT an EV cert, and additionally serving http assets triggering
> a
> > mixed content warning.
> >
> > I'm actually having trouble finding an academic institution, or even a
> > standard ecommerce site, that DOES use an EV cert.
> >
> > You can tell it's an EV cert when chrome or Firefox put the name of the
> > organization in the location bar to the left of URL. Additionally, in
> > Firefox, if you click that name, then click the right-chevron 'more info'
> > icon, then click "More information", under "Website Identity" it will
> list
> > an "Owner:" for an EV cert. For an ordinary domain-validated cert, it
> will
> > list "This website does not supply ownership information" instead.
> >
> > Here's an example of an EV cert, the cert on digicert.com, a seller of
> > certs:
> >
> > https://www.digicert.com/
> >
> > If your cert is not EV but is just "domain validated", then despite it
> > being "commercial" it supplies the same level of proof of identity as a
> > letsencrypt cert -- proof of control of the domain at the time the cert
> was
> > issued, either way.
> >
> >
> >
> > On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon <[log in to unmask]>
> wrote:
> >
> > > We are starting to roll out LetsEncrypt for all of our services and
> > > clients who do not use or want commercial certificates.
> > >
> > > Note that LetsEncrypt offers only domain authentication, in most cases
> > > specifically validated by your control of the server. Commercial
> > > certificates offer stronger proof of identity.
> > >
> > > We recommend commercial certificates for any sites that conduct
> financial
> > > transactions or require HIPPA compliance.
> > >
> > > Thanks,
> > >
> > > Cary
> > >
> > > Cary Gordon
> > > The Cherry Hill Company
> > > http://chillco.com
> > >
> > >
> > > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing
> List) <
> > > [log in to unmask]> wrote:
> > > >
> > > > Apologies for cross-posting...
> > > >
> > > > Anyone out there working at a public institution that's using Let's
> > > Encrypt for security certificates? I just suggested to our campus IT
> > that
> > > we switch to using Let's Encrypt. They told me it would need to clear
> > > State of Maryland approval process first, and suggested that it would
> be
> > > helpful to be able to point to other public institutions that are using
> > it.
> > > >
> > > > Regards,
> > > > Kyle Breneman
> > > > Integrated Digital Services Librarian
> > > > University of Baltimore
> > > >
> > > > To maximize your use of LITA-L or to unsubscribe, see
> > > http://www.ala.org/lita/involve/email
> > >
> >
>
|