Date: prev next · Thread: first prev next last
2012 Archives by date, by thread · List index

Hash: SHA1

On 06/21/2012 07:56 AM, James Knott wrote:
Fabian Rodriguez wrote:
Please notice the typo. It looks like James used

No I didn't. I used https, which checks the certificate for the site.
If you can't trust their certificate, you can't trust any certificate
they provide. If I go to that site with only http, then I don't get an
error, but only because their certificate is not verified.

I realize I should have provided some more detail.

Perhaps CaCert is just not for you. If you want identity assurance,
CaCert is *definitely not for you*:
"[...]certificates are considered weak because CAcert does not emit any
information in the certificates other than the domain name or email
address (the /CommonName/ field in X.509 certificates)."

CACert's root certificate can't afford to be included in some browsers, see:
"Traditionally vendors seeking to have their root certificates included
in browsers (directly or via the underlying OS infrastructure like
Safari via OS X's Keychain) would have to seek an expensive Webtrust
<> audit (~$75,000 up-front plus ~$10,000 per
year). While achievable for commercial CAs who typically charge per
certificate year, this is typically out of the reach of non-profit
organisations like CAcert. "

That's why you see the warning messages (again, read them carefully,
they are not security breaches or "hacking" proof).

Self-signed certificates have specific uses (and pros/cons), see:

Please read the Wikipedia article I've linked before, it has important,
summarized information if you can't read all of CACert's detailed
documentation and rules:

It's not some trivial subject, sorry I can't elaborate forever on this.

*The bottom line is if you don't want the warnings, can't afford the
time to explain them, and have the money, pay a commercial provider and
realize you are trusting some unknown corporation (rather than yourself
and the combination of CACerts' web of trust).* If you think trusting
any corporation is better, just search for "ssl certificates stolen" and
you'll see what I mean.



Version: GnuPG v1.4.11 (GNU/Linux)
Comment: PGP/Mime available upon request
Comment: Using GnuPG with Mozilla -


For unsubscribe instructions e-mail to:
Posting guidelines + more:
List archive:
All messages sent to this list will be publicly archived and cannot be deleted


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.