[ntp:questions] Is there something with greater detail on "interface" besides the manpage?
David Woolley
david at ex.djwhome.demon.invalid
Thu Nov 21 08:27:25 UTC 2013
On 21/11/13 00:54, John Hasler wrote:
> The CAcert certificate is included by Debian, most other Linux
> distributions, and by OpenBSD. It is at least as trustworthy as most
> commercial certificates.
>
That's mainly because Microsoft accepts so many obscure certifiers by
default and. However, as I said, any organisation that is serious about
security will probably disable most of the commercial ones.
My ISP used to use CACert for a long time, but they've moved to COMODO
because of the problem of not having trust.
(I suspect most people don't realise that even within a single
commercial certifier, there are usually different certificates, ranging
form something like email gets to the requestor, to a detailed scrutiny
of the subject.)
But my main point was that it is bad practice for an untrusted site to
tell people what to do to make it appear trusted. Ideally people should
ignore that advice as self serving, but in practice it encourages them
to always accept similar advice from less trustworthy sites.
Most browsers will let you install single exception certificates, so if
there is a specific site that you really trust (either because you have
authenticated it by other means, or because you consider it low risk)
but has an unknown certifier, you should install the certificate for the
individual site, not for the unknown certifier.
It's not like installing a missing library, to enable a package to run,
it is actually saying that you trust the certifier to properly
authenticate the subjects. The site will actually run without that
certificate.
I did install the CACert one on my home use only system when my ISP used
it, but I would not consider doing that for systems that I also used for
work, and, for example, installed a server level certificate for the
ISP's email server in the home Windows machines, which were occasionally
used for work.
Actually I would expect the name on their root certificates, the generic
"Root CA" to send warning bells to anyone who was security conscious,
but not already familiar with them.
More information about the questions
mailing list