On 08/10/2015 11:34 AM, Vincent Delecroix wrote: > > Let me propose something less stupid: the first time you access to a > website you have to accept the certificate manually (if you wish you can > have a look at the fingerprint). Then, until it changes nothing happens > (the very same way ssh works). It does not prevent certificate authority > to keep signing the certificate if they wish. >
This is called "certificate pinning" and it's a great idea. Mozilla and Google pin their own certs for mozilla.org and google.com (and a few others, now) in Firefox/Chrome. But it's not available generally because it doesn't make anyone money. Once you have certificate pinning, you can just get rid of the CAs and use self-signed certs that last forever. Works better, for free. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
