extended validation

[chadwhitacre]

We need to go through a verification flow again with StartSSL post-#73 (pressing because of gratipay/gratipay.com#3160). Let's go ahead and get extended validation! That will give us a nice big green Gratipay, LLC in the address bar:

[chadwhitacre]

Thank you for your Extended Validation request. In order to proceed with it we need some additional documents from you:

1. A signed acknowledgment of the StartCom Extended Validation Subscriber Agreement. You can find it here
   https://www.startssl.com/extended-validation-application-request-en.pdf
2. A lawyer’s opinion letter completed by your internal or external legal counsel (lawyer/Attorney/Notary).
3. Company bank accounts.
4. A scanned copy of your credit card (front only).

Thank you in advance.

[chadwhitacre]

They're asking for a voided check for item number 3, company bank accounts. We don't have checks. We can get them free from Ally, but it'll take 10 days and I'm not sure they'll have the name Gratipay on them.

[chadwhitacre]

I have the opinion letter from a notary, hopefully it's sufficient. I'll scan and upload it next chance I get, along with the credit card.

[chadwhitacre]

Opinion letter uploaded. Credit card uploaded, too, but as with the bank account it has my name on it and not Gratipay's, so I'm not sure they'll accept it.

[chadwhitacre]

Okay! The plot thickens like pea soup 🍜. I just called Ally to ask about changing the name on the account from Chad Whitacre to Gratipay, LLC, aaaaaand it turns out they don't offer business accounts, only personal accounts(!). I guess we're going to have to set up a different account at a new bank before proceeding. :-/

Reticketed as #149.

[blrhc]

All for a new SSL certificate!

[captn3m0]

EV certificates are not really worth the trouble, imo.

We did not find that extended validation provided a significant advantage in
identifying the phishing attacks tested in this study. [...]

• citation

[chadwhitacre]

Interesting. Eight years old, though. Anything more recent, now that EV has been out for a while?

[captn3m0]

• Interesting HN Thread
• EV certs don't work - Basically says EV = non EV

There are some startups on the HN thread offering cheap EV certs. You might wanna compare prices.

[chrisdev]

I think EV is more of a branding/confidence thing. You have to look at the sites in your niche and see if they are using EV certs. So i've noticed that Patreon and Kickstarter don't use EVs. But Chase, BOA, ALLY use them.

BTW I get my certs from namecheap. But i'm going to try startssl for my next project.

[captn3m0]

For cheap SSL, I'm currently using CloudFlare free SSL plan on my personal projects.

[chadwhitacre]

We already have a cert vendor, StartSSL.

Twitter: Yes. Facebook, Google+: No.

[chadwhitacre]

The notary I used as a notary public, not a latin notary(!), so StartSSL wouldn't count their opinion of us. Given that and @captn3m0's input, I went ahead and called off the extended validation process. Unless @chrisdev wants to champion EV for Gratipay, I'm inclined to close this as wont-fix.

[colindean]

I'm not convinced of the value of EV for Gratipay at this time, per this security.SE answer.