X-Original-To: alpine-infra@mail.alpinelinux.org Delivered-To: alpine-infra@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id D799EDC09BD for ; Fri, 26 Feb 2016 14:38:46 +0000 (UTC) Received: from newmail.tetrasec.net (unknown [74.117.189.116]) by mail.alpinelinux.org (Postfix) with ESMTP id BB1CDDC0826 for ; Fri, 26 Feb 2016 14:38:46 +0000 (UTC) Received: from [172.17.48.70] (fw.spencertelecom.com [74.117.189.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nangel@nothome.org) by newmail.tetrasec.net (Postfix) with ESMTPSA id 9E5565A15E5 for ; Fri, 26 Feb 2016 14:38:46 +0000 (GMT) To: alpine-infra@alpinelinux.org From: Nathan Angelacos Subject: Proposal for TLS on websites Message-ID: <56D06376.2020709@alpinelinux.org> Date: Fri, 26 Feb 2016 09:38:46 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP I'm leaning toward letsencrypt and 4096bit certs. They don't allow wildcard certs, but do allow multiple Alt subject Names. Startssl allows 5 alts (UCC) per cert free cert. We currently have 61 entries in our zone file - a few are exempt/junk (I don't think we need svn or blog anymore); but the rest are in use. To start simple, here's a proposal: Get a cert for: alpinelinux.org with Alt Subj Names of: bugs.alpinelinux.org forum.alpinelinux.org git.alpinelinux.org lists.alpinelinux.org patchwork.alpinelinux.org pkgs.alpinelinux.org wiki.alpinelinux.org www.alpinelinux.org That would encompass the bulk of the "consumer" side of the project. For now we leave the download and build servers bare http, and see how this first step works. ---