DocScrutinizer05 | sicelo: LE is a) very centralized with possible single point of failure / attack vector for whole internet literally. b) trades in expense for increased complexity and I am one of those weird folks that thin sysadmin time is worth real money c) didn't work a felt 1 dozen times now for devuan, thanks to the aforementioned complexity *D*) doesn't allow cert-pinning *E*) isn't at all about authentication, now every silly script kiddie can | 04:06 |
---|---|---|
DocScrutinizer05 | get free-as-in-beer annonymous certs | 04:06 |
DocScrutinizer05 | Nota Bene the whole thing is "let's ENCRYPT" _not_ "lets AUTHENTICATE" | 04:09 |
brolin_empey | DocScrutinizer05: You may have some valid points but part of the reason why I switched to using LE is to automate the process of renewing the certificate because I wanted to avoid outages caused by the certificate expiring and do not want to spend my time on a chore if the process can be automated. A computer should enable its user to work more efficiently by automating repetitive tasks, not to make the user work for the computer. | 04:39 |
DocScrutinizer05 | balance for devuan (estimation): installing & configuring of LE on devuan servers: 3h, managing tickets, bugfixing and handling other fallout from outtime due to failed renewals during last 2 years: 5 * 3h (all incl chat and whatnot on admin meetings, customer support etc); TOTAL 18h * (don't beat me, I'd be more generous in RL) 20€ = 360€ TCO. /// For a simple 2year wildcard business cert: 1h handling aka 20€ + cert 180€ = | 04:49 |
DocScrutinizer05 | 200€ | 04:49 |
DocScrutinizer05 | and that's *very* conservative and in favor of LE. I'd rather use a 50 to 100€ per hour, and way more hours for handling the fallout / collateral damage, plus I'd factor in reputation damages too | 04:51 |
DocScrutinizer05 | this would multiply the ratio by factor 10 | 04:52 |
Maxdamantus | regarding the SPOF issue .. isn't the whole certificate system already subject to many points of failure? | 05:02 |
Maxdamantus | Everyone already trusts every root CA. | 05:02 |
Maxdamantus | Just have to hope that some CA doesn't authenticate some Iranian organisation or something as google.com | 05:03 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!