-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/21/2012 07:56 AM, James Knott wrote: > Fabian Rodriguez wrote: >> Please notice the typo. It looks like James used cecert.org. > > No I didn't. I used https, which checks the certificate for the site. If you can't trust their certificate, you can't trust any certificate they provide. If I go to that site with only http, then I don't get an error, but only because their certificate is not verified. > >
I realize I should have provided some more detail. Perhaps CaCert is just not for you. If you want identity assurance, CaCert is *definitely not for you*: "[...]certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the /CommonName/ field in X.509 certificates)." CACert's root certificate can't afford to be included in some browsers, see: "Traditionally vendors seeking to have their root certificates included in browsers (directly or via the underlying OS infrastructure like Safari via OS X's Keychain) would have to seek an expensive Webtrust <http://www.webtrust.org/> audit (~$75,000 up-front plus ~$10,000 per year). While achievable for commercial CAs who typically charge per certificate year, this is typically out of the reach of non-profit organisations like CAcert. " http://wiki.cacert.org/InclusionStatus That's why you see the warning messages (again, read them carefully, they are not security breaches or "hacking" proof). Self-signed certificates have specific uses (and pros/cons), see: http://en.wikipedia.org/wiki/Self-signed_certificates Please read the Wikipedia article I've linked before, it has important, summarized information if you can't read all of CACert's detailed documentation and rules: http://en.wikipedia.org/wiki/Cacert It's not some trivial subject, sorry I can't elaborate forever on this. *The bottom line is if you don't want the warnings, can't afford the time to explain them, and have the money, pay a commercial provider and realize you are trusting some unknown corporation (rather than yourself and the combination of CACerts' web of trust).* If you think trusting any corporation is better, just search for "ssl certificates stolen" and you'll see what I mean. Best, Fabian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/jG7AACgkQfUcTXFrypNUu8wCfRYhzVvfb5dYWANkYFYX3C6F9 tFsAmwTk267ti8WP2vHnL9h6XNhKypeY =Wb90 -----END PGP SIGNATURE----- -- For unsubscribe instructions e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
