Fedora home server using core 9

Les Mikesell lesmikesell at gmail.com
Tue Sep 2 14:58:34 UTC 2008


Bruno Wolff III wrote:
>
>> What really annoys me is when some fool thinks that getting a
>> certificate made out to www.example.com is fine when they try to use it
>> with mail.example.com, so I always see completely avoidable warnings.
>> If they'd had the sense to had a wild-card type of certificate made out
>> to just example.com, or had the certificate cover more than one
>> sub-domain, or created more than one certificate, things would just
>> work.
> 
> The reason they don't get a wildcard cert or a CA cert is that CA's that
> have certs installed with the browsers charge more. They'd rather you'd
> pay them to sign your certificates rather than allow you to easily be
> your own CA for essentially the same cost of a single cert. The security
> benefit of doing that way is negligible. It's all about money.
> 
> What Firefox (and other browsers) should be doing is treating https with a self
> signed cert the same as http.

Even nicer would be to automatically check with all of the signing 
authorities that the browser currently trusts as to whether they have 
issued a certificate for this name or not.  If any of them have, the 
self-signed copy is likely to be a fraud of some sort.  Otherwise it is 
probably just a site that only wants encryption for the data stream - or 
perhaps just the authentication, but http(s) doesn't provide a handy way 
to separate the steps.

-- 
   Les Mikesell
    lesmikesell at gmail.com




More information about the fedora-list mailing list