On 2014-03-30 10:21, Stéphane Guedon wrote: > Le dimanche 30 mars 2014 07:33:55, vous avez écrit : > > I believe the opensmtp project is taking the right approach. > > Decisions about certification strategies are more business than > > technical, and, I suggest, the opensmtp project is not here to make > > business recommendations, even implicit ones. Wikipedia document > > some things to consider, including > > http://en.wikipedia.org/wiki/X.509#Security see problems with > > certificate authorities. > > I know some of the critics and agree with them. > But that remains : opensmtpd.org uses poolp.org certificates. > It's not good.
Indeed. Not-using SSL would be one thing. A wrong cert is another. > > > Having said that, I most certainly do not speak for the opensmtp > > project; indeed, I do not speak for anyone apart from me, and am > > most probably talking nonsense. > > > > If I were to use certificates that had to be trustable by strangers, > > I¹d use a certification authority from an established organisation > > whose business depended on them being trusted. By coincidence, I > > live in an international banking centre, so I¹ve a rich choice (ho > > ho). > > The project can also use Cacert. That makes much more sense, the > certificates are well signed, correspond to the actual address the > person want to visit, and there's chance that an opensmtpd user > (because of free software mind / knowledges / enthousiasm) has some > knowledge of cacert so either he trusts it already, or he knows he can > and how to do things... The huge downside with cacert is that no major browser or OS trust it. Even debian recently dropped it from it's bundle. So most users will get a rather unfriendly message from their browser. StartSSL's have all that you mention above, plus, trust from major browsers. They're free as well, of course. > > > Dylan Harris > > a broad Brit abroad > > > > On 30/03/2014 04:40, "Hugo Osvaldo Barrera" <[email protected]> wrote: > > >On 2014-03-29 19:26, Stéphane Guedon wrote: > > >> Hello > > >> > > >> I don't like to behave like an asshole and say stupid things to > > >> cool peoples... but the ssl certs for opensmtpd.org are valid > > >> only for poolp.org. > > >> > > >> You don't use dnssec, neither good ssl certs ... ? > > >> > > >> Sorry for annoyement. > > > > > >Hit to the dev: StartSSL give out free SSL certificate that are > > >trusted by all major browsers and OSs. That + SNI should fix that. > > >:) > > -- > You received this mail because you are subscribed to [email protected] > To unsubscribe, send a mail to: [email protected] > -- Hugo Osvaldo Barrera A: No, it doesn't make sense. Q: Should I include quotations *after* my reply?
pgpLupvA29nw2.pgp
Description: PGP signature
