Who am I? And how to prove?
Since I am currently setting up my infrastructure for my pet project, I wanted to sort out some little details.
My Bug tracker, the build server software, the repository managament… all this will be web based, and hosted on my new virtual server Gallifrey (that now also serves this blog). I don’t want my credentials go over the internet in plain text, so I want to access these applications only over HTTPS.
Now, of course I could simply use a self signed certificate and trust the certificate on all my machines, but what if I’m going to partner up with somebody else? An official SSL certificate would be better.
A colleague pointed me to StartSSL. They offer a 2 year multi-domain, wildcard certificate for just 59 USD. So I signed up there and - my bad - entered my mobile number as my contact number. That was a problem, because as I would get to know soon after that, they do a three-way check to validate my identity.
1.) They want to see two recent photo ID’s of me. So I emailed them photographs of my ID and my drivers licence. 2.) To validate my address and my name they wanted to see a phone bill showing my name and the address and the phone number. 3.) They call the number that, as by the documents, belong to the same person identified by the photo IDs, to ask for additional informations given on the ID (like place and date of birth).
Now the problem was, that my mobile phone contract is not mine, but payed by my company. So the phone bill didn’t show my name and they could not do this validation. After a few mails I figured out, that they could swap my mobile against my landline number, and so I emailed them a pdf scan of my land line bill, which shows me as the owner. Now that PDF scan was a bit too big for their email system, and until I figured that out a full day passed. By know I know that my email bounce notifications are sent every 24 hours.
Well, they called me on the landline, asked those questions and a few hours later I had my certificate. So, you should be able to connect to this blog also via https, and also the other domains and web applications are secured too.
When you want a certificate from StartSSL, better be prepared and give them a phone number where your name is on the bill…