Re: [ntp:questions] Is there something with greater detail on "interface" besides the manpage?

Thu, 21 Nov 2013 00:45:22 -0800 

On 21/11/13 00:54, John Hasler wrote:

The CAcert certificate is included by Debian, most other Linux
distributions, and by OpenBSD.  It is at least as trustworthy as most
commercial certificates.
That's mainly because Microsoft accepts so many obscure certifiers by default and. However, as I said, any organisation that is serious about security will probably disable most of the commercial ones.
My ISP used to use CACert for a long time, but they've moved to COMODO because of the problem of not having trust.
(I suspect most people don't realise that even within a single commercial certifier, there are usually different certificates, ranging form something like email gets to the requestor, to a detailed scrutiny of the subject.)
But my main point was that it is bad practice for an untrusted site to tell people what to do to make it appear trusted. Ideally people should ignore that advice as self serving, but in practice it encourages them to always accept similar advice from less trustworthy sites.
Most browsers will let you install single exception certificates, so if there is a specific site that you really trust (either because you have authenticated it by other means, or because you consider it low risk) but has an unknown certifier, you should install the certificate for the individual site, not for the unknown certifier.
It's not like installing a missing library, to enable a package to run, it is actually saying that you trust the certifier to properly authenticate the subjects. The site will actually run without that certificate.
I did install the CACert one on my home use only system when my ISP used it, but I would not consider doing that for systems that I also used for work, and, for example, installed a server level certificate for the ISP's email server in the home Windows machines, which were occasionally used for work.
Actually I would expect the name on their root certificates, the generic "Root CA" to send warning bells to anyone who was security conscious, but not already familiar with them. 

_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
  • [ntp:questions... Rick Jones
    • Re: [ntp:... Harlan Stenn
      • Re: [... Rick Jones
        • R... Danny Mayer
          • ... Danny Mayer
            • ... Rick Jones
              • ... Harlan Stenn
                • ... David Woolley
                • ... Harlan Stenn
                • ... John Hasler
                • ... David Woolley
                • ... John Hasler
                • ... mike cook
                • ... John Hasler
                • ... Richard B. Gilbert
                • ... E-Mail Sent to this address will be added to the BlackLists
            • ... Harlan Stenn
        • R... Harlan Stenn
          • ... E-Mail Sent to this address will be added to the BlackLists
            • ... Greg Troxel
              • ... Steve Kostecke

Reply via email to