On Wed, Dec 21, 2011 at 10:24 AM, LinuxIsOne <reall...@hmamail.com> wrote: > On Wed, Dec 21, 2011 at 8:29 PM, Joshua Murphy <poiso...@gmail.com> wrote: > >> That would likely be because cacert.org isn't a "trusted' authority by >> default and that is the issuer for B.G.O., making the certificate >> throw up a red flag if you choose not to add cacert.org to your >> trusted authorities. > > And finally there is no security risk in adding cacert.org to the > trusted authorities? >
Well, that's up to whether you trust that issuer not to give out certificates to people using falsified credentials, setting up phishing sites, etc. Any time you choose to allow a person outside of yourself to decide who or what you trust, there's some element of risk. That the Gentoo devs trust cacert.org to be their issuer for b.g.o. is enough for me to feel that risk is worth it in my case, but that's as much as I can really say. -- Poison [BLX] Joshua M. Murphy
