On 6 feb. 2014, at 10:59, Daniele Ricci <[email protected]> wrote:
> I think I understand why... my server has no direct TLS port, just > STARTTLS. Is the certificate tested via STARTTLS as well? The fact that CAcert certificates are not penalized currently is simply because it's running Debian, and Debian has CAcert in their trust anchors. But I'm still a bit torn on whether to change this. I do think that outright removing them and thereby giving every CAcert server out there an F would be too harsh. On the one hand, using CAcert probably means 99% of normal users won't properly verify your certificate. On the other hand, there are other alternative trust methods I want to introduce, like POSH and DANE (already shown, but doesn't influence trust). If I use the same argument of "nobody's code will trust them based on this", then those will probably keep getting an F for a long time. That's not very stimulating. So I'm thinking about reducing the score for servers relying on CAcert, DANE or POSH to A- or B and showing a warning about it. The test will only test StatTLS on port 5222/5269 or the port found in SRV records. It will not try old-style SSL on port 5223. Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
