Dear debian.org webmasters,
Currently debian.org use SSL certificate from Let's Encrypt (LE).
That is not bad, however there are cases when scammers get SSL
certificate from LE to secure their (untrustworthy?) sites. Even
LE said that scam prevention are outside their scope, due to their
nature of fully-automated Certificate Authority.
With this current problem of LE, I think it would be better to
migrate to commercial certificates issue by commercial Certificate
Authority (like DigiCert and COMODO). Unlike LE, we (debian.org)
have to create Certificate Signing Requests (CSR) which will be
sent to those CA. We have to pay to those CA in order to get
certificates from them. They also offer Extended Validation (EV)
certificates, in which the browsers will display Subject name
(such as Debian) besides the green padlock. For EV certificates,
the CA have to verify whether the certificate requester really
represents the Subject (website). EV certificates can be
useful for large organizations like Debian.
I know that Debian have internal discussions about commercial certificates before, but I would ask to this list anyway. Giving the advantages of commercial SSL/TLS certificates as described above, would commercial SSL/TLS make sense for debian.org website?
Regards, Bagas