On Feb 28, 2010, at 11:56 PM, a.l.e wrote: > > it doesn't look like an invalid certificate to me... isn't it a self signed > one? or more probably one issued by an entity which does not have its root > certificate included per default in your browser? > > i guess that if your using linux or any bsd (as you always should :-) you > should have an option to install the community based root certificates > through your packet management system. then everything will be ok!
Well, there are a few problems. One is that installing any root cert exposes high risk. And then this particular one is known to have problems. So, yes, one *could* set things to accept it... but then that circumvents most of the security that is normally gained from SSL. But a *VERY* important aspect is that for distribution of software one should not require the average end user to turn off their security. Nowadays that is much more important. And it appears that as a *root* cert for a browser, this particular one has some big issues. For peer-to-peer, email, etc things may not be such a problem, but for a browser root cert this is a very high-risk item. Auditing issues, withdrawal from mozilla consideration, etc., all come in to play. Again, for a personal chain of trust things might work well, but a browser is too all-or-nothing when it comes to root certs. _______________________________________________ CREATE mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/create
