Re: [libreoffice-users] Re: Signing Documents with a personal Certificate

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/21/2012 07:56 AM, James Knott wrote:
> Fabian Rodriguez wrote:
> > Please notice the typo. It looks like James used cecert.org.
>
> No I didn't. I used https, which checks the certificate for the site.
If you can't trust their certificate, you can't trust any certificate
they provide. If I go to that site with only http, then I don't get an
error, but only because their certificate is not verified.
>

I realize I should have provided some more detail.

Perhaps CaCert is just not for you. If you want identity assurance,
CaCert is *definitely not for you*:
"[...]certificates are considered weak because CAcert does not emit any
information in the certificates other than the domain name or email
address (the /CommonName/ field in X.509 certificates)."

CACert's root certificate can't afford to be included in some browsers, see:
"Traditionally vendors seeking to have their root certificates included
in browsers (directly or via the underlying OS infrastructure like
Safari via OS X's Keychain) would have to seek an expensive Webtrust
<http://www.webtrust.org/> audit (~$75,000 up-front plus ~$10,000 per
year). While achievable for commercial CAs who typically charge per
certificate year, this is typically out of the reach of non-profit
organisations like CAcert. "
http://wiki.cacert.org/InclusionStatus

That's why you see the warning messages (again, read them carefully,
they are not security breaches or "hacking" proof).

Self-signed certificates have specific uses (and pros/cons), see:
http://en.wikipedia.org/wiki/Self-signed_certificates

Please read the Wikipedia article I've linked before, it has important,
summarized information if you can't read all of CACert's detailed
documentation and rules:
http://en.wikipedia.org/wiki/Cacert

It's not some trivial subject, sorry I can't elaborate forever on this.

*The bottom line is if you don't want the warnings, can't afford the
time to explain them, and have the money, pay a commercial provider and
realize you are trusting some unknown corporation (rather than yourself
and the combination of CACerts' web of trust).* If you think trusting
any corporation is better, just search for "ssl certificates stolen" and
you'll see what I mean.

Best,

Fabian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: PGP/Mime available upon request
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/jG7AACgkQfUcTXFrypNUu8wCfRYhzVvfb5dYWANkYFYX3C6F9
tFsAmwTk267ti8WP2vHnL9h6XNhKypeY
=Wb90
-----END PGP SIGNATURE-----


-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted