[development] A Rose By Any Other Name... SSL Certs

nan wich nan_wich at bellsouth.net
Tue Mar 1 12:02:21 UTC 2011

The way I approach things like this is that I am not a permanent employee of the 
company, therefore I do not acquire assets for the company if that asset 
outlives my tenure. I do this whether that asset has a cost or not. I won't even 
get a Google Analytics key, which is free. Someone who is permanently with the 
company must acquire it and provide me with the usage information, such as keys. 
What are they going to do when that certificate expires, call you back for ten 
minutes of work?
Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.

From: Gordon Heydon <gordon at heydon.com.au>
To: Drupal Development <development at drupal.org>
Sent: Mon, February 28, 2011 11:43:49 PM
Subject: [development] A Rose By Any Other Name... SSL Certs


I have a new client and they require me to get an SSL certificate. Ideally an EV 
certificate because they detail with financial information (not credit cards) 
and would ideally require a higher level of identifiable security that what a 
standard certificate provides.

Usually for clients that do not really require any real security for there 
website and when a self signed certificate will do, I will use a free 
certificate from startssl.com, not only does it give the full security their 
certificate authority is recognised by all browsers.

While grabbing a certificate for another client I noticed that they offer an EV 
certificate for US199 for 2 years, where as thawte.com (who I usually use when I 
need a proper certificate) for the same certificate si $US995 for 2 years. and 
verisign is 1730 for the same.

I know that technically there is zero difference in security between the 2 
providers and they will both provide the exact some levels of encryption.

The EV certificate from startssl.com is 1/5 of the price of one from thawte.com 
so looking that it is a much better financially. but the issue is really 
"trust". Thawte.com or even Verisign have a much higher level of trust and what 
startssl.com has. Would a normal person (not like us) really care about this.

Remember also to provide an EV certificate you still need to meet some strict 

I am conflicted with this, on the one hand I can provide my client with a 
financially acceptable option that will give their clients a much higher level 
of identity, and make sure they are dealing with my client, but on the other 
hand it is not a thawte/verisign.

Comments please.

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20110301/5a0c4280/attachment.html 

More information about the development mailing list