 |
 |
Here's a thread about per-TLD rate limits being a problem for universities; it seems per a post at the end of that thread that letsencrypt might exempt your institution from ratelimits, but an official agent of the university needs to submit the request: https://community.letsencrypt.org/t/rate-limiting-at-an-educational-institution/5910/24 On Mon, Jun 19, 2017 at 8:27 AM, Kyle Breneman <[log in to unmask]> wrote: > Thanks for that detailed and interesting reply, Jonathan. > > On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind <[log in to unmask]> > wrote: > > > Just to clarify, by "Commercial certificates offer stronger proof of > > identity", you mean an "Extended Validation" (EV) certificate. > > https://en.wikipedia.org/wiki/Extended_Validation_Certificate > > > > If you are getting a 'commercial certificate' that is a standard 'domain > > validated' cert instead of an EV cert, you are not getting any stronger > > proof of identity than you would from letsencrypt. > > > > The cert used at https://www.ubalt.edu does NOT appear to be an EV cert, > > but an ordinary domain validated one. (Additionally, that particular web > > page serves http: images , triggering browser mixed content warnings!). > > > > Same thing for the cert at https://langsdale.ubalt.edu/. > > > > Looking at another Maryland public university: https://umd.edu/ appears > > similar. NOT an EV cert, and additionally serving http assets triggering > a > > mixed content warning. > > > > I'm actually having trouble finding an academic institution, or even a > > standard ecommerce site, that DOES use an EV cert. > > > > You can tell it's an EV cert when chrome or Firefox put the name of the > > organization in the location bar to the left of URL. Additionally, in > > Firefox, if you click that name, then click the right-chevron 'more info' > > icon, then click "More information", under "Website Identity" it will > list > > an "Owner:" for an EV cert. For an ordinary domain-validated cert, it > will > > list "This website does not supply ownership information" instead. > > > > Here's an example of an EV cert, the cert on digicert.com, a seller of > > certs: > > > > https://www.digicert.com/ > > > > If your cert is not EV but is just "domain validated", then despite it > > being "commercial" it supplies the same level of proof of identity as a > > letsencrypt cert -- proof of control of the domain at the time the cert > was > > issued, either way. > > > > > > > > On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon <[log in to unmask]> > wrote: > > > > > We are starting to roll out LetsEncrypt for all of our services and > > > clients who do not use or want commercial certificates. > > > > > > Note that LetsEncrypt offers only domain authentication, in most cases > > > specifically validated by your control of the server. Commercial > > > certificates offer stronger proof of identity. > > > > > > We recommend commercial certificates for any sites that conduct > financial > > > transactions or require HIPPA compliance. > > > > > > Thanks, > > > > > > Cary > > > > > > Cary Gordon > > > The Cherry Hill Company > > > http://chillco.com > > > > > > > > > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing > List) < > > > [log in to unmask]> wrote: > > > > > > > > Apologies for cross-posting... > > > > > > > > Anyone out there working at a public institution that's using Let's > > > Encrypt for security certificates? I just suggested to our campus IT > > that > > > we switch to using Let's Encrypt. They told me it would need to clear > > > State of Maryland approval process first, and suggested that it would > be > > > helpful to be able to point to other public institutions that are using > > it. > > > > > > > > Regards, > > > > Kyle Breneman > > > > Integrated Digital Services Librarian > > > > University of Baltimore > > > > > > > > To maximize your use of LITA-L or to unsubscribe, see > > > http://www.ala.org/lita/involve/email > > > > > >