| >> So at the company I work for, most of the internal systems have | >> expired SSL certs, or self-signed certs. Obviously this is bad. | > | >You only think this is bad because you believe CAs add some value. | | Presumably the value they add is that they keep browsers from popping | up scary warning messages.... Apple's Mail.app checks certs on SSL-based mail server connections. It has the good - but also bad - feature that it *always* asks for user approval if it gets a cert it doesn't like.
One ISP I've used for years (BestWeb) uses an *expired* self-signing cert. The "self-signed" part I could get around - it's possible to add new CA's to Mail.app's list. But there's no way to get it to accept an expired cert automatically. So ... every time Mail.app starts up, it complains about the cert and asks me to approve it. This stalls Mail's startup, and it fails to pick up mail - from any server - until I tell it, OK, yes, go ahead. The cert has now been expired for over 2 years. (You might well wonder why, if you're going to use a self-signed cert, you *ever* let it expire - much less cut one, like theirs, with a 1-year lifetime. Since all you're getting with a self-signed cert is "continuity of identity", expiration has no positives, just negatives. Perhaps they were planning to go out of business in a year? :-) ) I've been in touch with BestWeb's support guys repeatedly. Either they just don't understand what I'm talking about, or I'll finally get someone to understand, he'll ask me for details on which cert is expired, I'll send them - and then nothing will happen. Clueless. Just to add to the amusement, *some* of their services - Web mail, and through it tuning of their spam filters - are accessible *only* through HTTP, not HTTPS. These use the same credentials.... Perhaps I should just go with the flow and use unencrypted connections. (Or get over my inertia, stop trying to get them to fix things, and drop my connections to them at the next renewal....) -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]