From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/77416 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.gnus.general Subject: Re: SSL certificate issues for git.gnus.org Date: Mon, 28 Feb 2011 13:33:44 -0600 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <8739n80x9j.fsf@lifelogs.com> References: <87sk71o198.fsf@lifelogs.com> <87bpdpgsj9.fsf@gate450.dyndns.org> <87eiiijnqz.fsf@lifelogs.com> <87k4s83k25.fsf@lifelogs.com> <877ho8l427.fsf@gate450.dyndns.org> <878w8mij14.fsf@gate450.dyndns.org> <87bpdhsshj.fsf@lifelogs.com> <87y6glrcpd.fsf@lifelogs.com> <87pr1xrb7g.fsf@lifelogs.com> <87fx2tq8nx.fsf@lifelogs.com> <87r5m6gvgb.fsf_-_@lifelogs.com> <87sjvb7p4z.fsf@lifelogs.com> <8762s7n3gq.fsf@topper.koldfront.dk> <87fwrb67zq.fsf@lifelogs.com> <87wrknlnz4.fsf@topper.koldfront.dk> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Trace: dough.gmane.org 1298921662 32007 80.91.229.12 (28 Feb 2011 19:34:22 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 28 Feb 2011 19:34:22 +0000 (UTC) To: ding@gnus.org Original-X-From: ding-owner+M25740@lists.math.uh.edu Mon Feb 28 20:34:18 2011 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Pu8rI-0001V9-Lh for ding-account@gmane.org; Mon, 28 Feb 2011 20:34:17 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1Pu8r7-0003dj-Dw; Mon, 28 Feb 2011 13:34:05 -0600 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1Pu8r5-0003dO-Dg for ding@lists.math.uh.edu; Mon, 28 Feb 2011 13:34:03 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx1.math.uh.edu with esmtp (Exim 4.72) (envelope-from ) id 1Pu8r1-0002IF-Fu for ding@lists.math.uh.edu; Mon, 28 Feb 2011 13:34:03 -0600 Original-Received: from lo.gmane.org ([80.91.229.12]) by quimby.gnus.org with esmtp (Exim 4.72) (envelope-from ) id 1Pu8r0-0006oW-PB for ding@gnus.org; Mon, 28 Feb 2011 20:33:58 +0100 Original-Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Pu8r0-0001LP-5p for ding@gnus.org; Mon, 28 Feb 2011 20:33:58 +0100 Original-Received: from 38.98.147.130 ([38.98.147.130]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 28 Feb 2011 20:33:58 +0100 Original-Received: from tzz by 38.98.147.130 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 28 Feb 2011 20:33:58 +0100 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 49 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: 38.98.147.130 X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:89w5cKy2dlXcsaR+2JVldVmI548= X-Spam-Score: -0.7 (/) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:77416 Archived-At: On Fri, 25 Feb 2011 23:59:43 +0100 asjo@koldfront.dk (Adam Sjøgren) wrote: AS> On Fri, 25 Feb 2011 16:54:01 -0600, Ted wrote: AS> How is SSL using a self-signed certificate insecure? >> Users have to either import the certificate initially or disable >> http.sslVerify. Neither is as secure as a valid certificate chain with >> a CA bundle that's already installed, although the former is better of >> course. AS> The only difference in security is whatever confirmation of identity the AS> organisation signing the certificate performs, right? You're talking about abstract security, as a signing process. I'm saying the *user* has to either import the self-signed certificate off the website and hope it's not compromised or he has to disable http.sslVerify. Furthermore, a self-signed certificate looks unprofessional. It's better to set up a CA or to use a well-known one. savannah.gnu.org thinks so too and uses CAcert: http://savannah.gnu.org/tls/ This actually connects to some questions I had about Emacs' built-in certificates when I worked on GnuTLS support. But neither the GNU project nor the FSF seem to have a policy in this regard so we default to whatever certificates the OS trusts. On Sat, 26 Feb 2011 08:51:30 +0100 Julien Danjou wrote: JD> I hate this certificate business which brings nothing if just money JD> to bad companies. I respectfully disagree. The current prices on the major sellers are certainly ridiculous but there are many reasonable and even free ones. On Sat, 26 Feb 2011 15:59:53 +0100 Steinar Bang wrote: >>>>>> asjo@koldfront.dk (Adam Sjøgren): >> ... and some good *coughUbuntucough* SB> I'm not sure, but I think they also support http://cacert.org as a CA, SB> like debian does...? Debian does, but Ubuntu doesn't, unfortunately. See http://wiki.cacert.org/InclusionStatus Ted