[Board] SSL Certificate Policy
tech_dev at wildintellect.com
Fri May 6 08:06:32 PDT 2016
We recently renewed the SSL certificate for the *.osgeo.org domains. In
doing so there's an unresolved policy question I'd like to get answered.
Our old certificate was Org Validated (OV). All that means is that the
certificate authority does a little extra checking on the org, it's
slightly more expensive (~$150+/yr), and that it's harder to change
anything in our account related to the certificate. The outward facing
result is that if you read the certificate details the Organization(O)
line is filled out.
The new certificate (because we were on a time crunch) is a Domain
Validated (DV). It's a little cheaper, and way easier to login and work
with. It's also similar enough to Mozilla's new letsencrypt project that
we might be able to switch to that later on.
>From a money perspective, I don't think the difference between $250 vs
$400 a year is big difference. From a technical perspective both work,
equally well. Other orgs seems to mostly use OV certificates. But I've
found very few people who seem to care, and you can't really tell unless
you open the certificate details.
The only thing that would happen now if we change back to OV, is that it
will take more volunteer hours to get the new one, cancel the current
one (100% refund is not an issue in the 1st 30 days).
Does the board have a position on if they want to use an OV or are
people content with the DV certificates?
Sys Admin Committee
More information about the Board