14 Nov
2008
14 Nov
'08
1:23 p.m.
Hi Jan,
I hope you don't mind me posting this back to the list. I got the
feeling you intended it to go there.
On Fri, Nov 14, 2008 at 12:00:26PM -0000, Jan Henkins wrote:
I've had a play with CaCERT's stuff (free, see
http://www/cacert.org)
which do work well enough not to upset FF3, at least as far as I can see.
Only downside is all certs they give out has a default expiry set to 6
months, which can be a bit of a pain. Have you tried this route?
CAcert's root certificate is not present in Mozilla Firefox yet so I
don't know how it is working for you, unless you have told your
Firefox to import it or else your OS packaged it.
See: http://wiki.cacert.org/wiki/InclusionStatus
Note the lack of inclusion for Internet Explorer, Mozilla Firefox or
Safari.[1]
What percentage of hits to {lists,panel,tools}.bitfolk.com do you
think come from Debian / Ubuntu / Gentoo / CentOS / Mandriva desktop
users?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB
[1] I'm not criticising CAcert; I believe their goal is impossible.
I'm just stating reality.
14 Nov
14 Nov
1:59 p.m.
New subject: More money fed into the SSL certificate scam
'Ĺo Andy
On Fri, November 14, 2008 13:23, Andy Smith wrote:
Hi Jan,
I hope you don't mind me posting this back to the list. I got the
feeling you intended it to go there.
Not the original intention, but it's OK if it does.
On Fri, Nov 14, 2008 at 12:00:26PM -0000, Jan Henkins
wrote:
You are right. I have inported their root cert a relatively long time ago,
and have migrated it across new Linux installs with my backed up home
directory. At work I use CentOS 5, and it has been bundled already (which
is why my FF3 did not complain, so I suppose it was a false positive
because of these two facts). I will attempt to look into what the current
status is for it's inclusion in Ubuntu 8.04 and 8.10 just to slake my own
curiosity.
I've had a play with CaCERT's stuff
(free, see http://www/cacert.org)
which do work well enough not to upset FF3, at least as far as I can
see.
Only downside is all certs they give out has a default expiry set to 6
months, which can be a bit of a pain. Have you tried this route?
CAcert's root certificate is not present in Mozilla Firefox yet so I
don't know how it is working for you, unless you have told your
Firefox to import it or else your OS packaged it. See: http://wiki.cacert.org/wiki/InclusionStatus
Note the lack of inclusion for Internet Explorer, Mozilla Firefox or
Safari.[1]
What percentage of hits to {lists,panel,tools}.bitfolk.com do you
think come from Debian / Ubuntu / Gentoo / CentOS / Mandriva desktop
users?
Well, that is not something I can surmise about, since I don't have access
to your server logs. :-) Why don't you tell us anyway? Not necessary, but
it would be interesting to know.
[1] I'm not criticising CAcert; I believe their
goal is impossible.
I'm just stating reality.
OK, I understand your point, although I don't agree with "impossible", it
is merely "incredibly hard"! :-) I personally wish them all possible
strength, since it is (at least in my opinion) a very important precedent
that they are trying to set.
--
Regards,
Jan Henkins
3:38 p.m.
New subject: More money fed into the SSL certificate scam
Hi Jan,
On Fri, Nov 14, 2008 at 01:59:15PM -0000, Jan Henkins wrote:
Those sites are almost the ideal candidate for CAcert is inclusion,
given the nature of the users, yet still Windows user agents make up
over 70% of hits to the login forms on the above SSL sites. Most of
these are Firefox but still a healthy minority are Internet
Explorer.
So unless Firefox on Windows distributes CAcert's root certificate,
IMHO it would have been a waste of time for me to explore the CAcert
route. I realise this is a chicken before the egg situation, but I
don't have time to explain the issues every time someone complains
that Firefox says Bitfolk's sites are insecure.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB
'Ĺo Andy
On Fri, November 14, 2008 13:23, Andy Smith wrote:
Oops! Very sorry, I will ask in future.
I hope you don't mind me posting this back to
the list. I got the
feeling you intended it to go there.
Not the original intention, but it's OK if it does. See:
http://wiki.cacert.org/wiki/InclusionStatus
Note the lack of inclusion for Internet Explorer, Mozilla Firefox or
Safari.[1]
What percentage of hits to {lists,panel,tools}.bitfolk.com do you
think come from Debian / Ubuntu / Gentoo / CentOS / Mandriva desktop
users?
Well, that is not something I can surmise about, since I don't have access
to your server logs. :-) Why don't you tell us anyway? Not necessary, but
it would be interesting to know. 
3:51 p.m.
New subject: More money fed into the SSL certificate scam
On 14 Nov 2008, at 15:38, Andy Smith wrote:
So unless Firefox on Windows distributes CAcert's
root certificate,
IMHO it would have been a waste of time for me to explore the CAcert
route. I realise this is a chicken before the egg situation, but I
don't have time to explain the issues every time someone complains
that Firefox says Bitfolk's sites are insecure.
Have you had a look at StartCom? Their root cert is included in
Firefox and Safari.
http://cert.startcom.org/
--
Joey
4:31 p.m.
New subject: More money fed into the SSL certificate scam
Joey Walsh wrote:
Have you had a look at StartCom? Their root cert is
included in
Firefox and Safari.
http://cert.startcom.org/
Thanks for this! It's good to know that there are more than one free SSL
cert company. I might try them out for my website, currently I use a
CACert for my mail.
--
Regards,
Jan Henkins
15 Nov
15 Nov
5:44 p.m.
New subject: More money fed into the SSL certificate scam
Hi Joey,
On Fri, Nov 14, 2008 at 03:51:37PM +0000, Joey Walsh wrote:
Have you had a look at StartCom? Their root cert is
included in
Firefox and Safari.
http://cert.startcom.org/
Nice find! I didn't know about this. I'm really surprised that any
free one managed to get into Firefox. Do you happen to know what
the situation is with startcom and IE?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB
14 Nov
14 Nov
3:49 p.m.
New subject: More money fed into the SSL certificate scam
<67b4da934ff99fb8b68250a3a74f3193.squirrel(a)www.henkins.za.net>
<20081114132322.GG29527(a)bitfolk.com>
<1cac6cd88fcb3af1ca4544b3b7c56d2d.squirrel(a)www.henkins.za.net>
X-Priority: 5 (Lowest)
Message-ID: <08153215e58817e2e13ad2caa7493a90@localhost>
X-Sender: tony(a)tonywhitmore.co.uk
Received: from srv-gw06.tauntons.ac.uk [212.219.117.82] with HTTP/1.1 (POST);
Fri, 14 Nov 2008 15:49:28 +0000
User-Agent: RoundCube Webmail/0.1-rc2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
On Fri, 14 Nov 2008 13:59:15 -0000 (UTC), "Jan Henkins"
<jan(a)henkins.za.net> wrote:
> On Fri, Nov 14, 2008 at 12:00:26PM -0000, Jan
Henkins wrote:
>> I've had a play with CaCERT's stuff
(free, see http://www/cacert.org)
>> which do work well enough not to upset FF3, at
least as far as I can
>> see.
>> Only downside is all certs they give out has a
default expiry set to 6
>> months, which can be a bit of a pain. Have you
tried this route?
>
> CAcert's root certificate is not present in
Mozilla Firefox yet so I
> don't know how it is working for you, unless
you have told your
> Firefox to import it or else your OS packaged it.
You are right. I have inported their root cert a
relatively long time
ago,
and have migrated it across new Linux installs with my
backed up home
directory. At work I use CentOS 5, and it has been
bundled already (which
is why my FF3 did not complain, so I suppose it was a
false positive
because of these two facts). I will attempt to look
into what the current
status is for it's inclusion in Ubuntu 8.04 and
8.10 just to slake my own
curiosity.
The CACert root CA has been in the Debian and Ubuntu ca-certificates
packages for some time, which means that applications that use that
repository of certificates will accept a CACert certificate by default.
However, Firefox on Ubuntu at least has its own list of allowed CA
certificates it trusts, and CACert is not (yet) on it.
We're using CACert certificates at work and it has raised a few questions.
However documentation on non-SSL parts of the sites in question seems to
answer most queries.
Tony
4:21 p.m.
New subject: More money fed into the SSL certificate scam
Hello Tony,
On Fri, November 14, 2008 15:49, Tony Whitmore wrote:
The CACert root CA has been in the Debian and Ubuntu
ca-certificates
packages for some time, which means that applications that use that
repository of certificates will accept a CACert certificate by default.
However, Firefox on Ubuntu at least has its own list of allowed CA
certificates it trusts, and CACert is not (yet) on it.
Thanks, that answers the question for me! :-)
--
Regards,
Jan Henkins
5889
days inactive
5890
days old
7 comments
4 participants
participants (4)
-
Andy Smith -
Jan Henkins -
Joey Walsh -
Tony Whitmore