[ntp:questions] Is there something with greater detail on "interface" besides the manpage?

David Woolley david at ex.djwhome.demon.invalid
Thu Nov 21 08:27:25 UTC 2013


On 21/11/13 00:54, John Hasler wrote:
> The CAcert certificate is included by Debian, most other Linux
> distributions, and by OpenBSD.  It is at least as trustworthy as most
> commercial certificates.
>
That's mainly because Microsoft accepts so many obscure certifiers by 
default and.  However, as I said, any organisation that is serious about 
security will probably disable most of the commercial ones.

My ISP used to use CACert for a long time, but they've moved to COMODO 
because of the problem of not having trust.

(I suspect most people don't realise that even within a single 
commercial certifier, there are usually different certificates, ranging 
form something like email gets to the requestor, to a detailed scrutiny 
of the subject.)

But  my main point was that it is bad practice for an untrusted site to 
tell people what to do to make it appear trusted.  Ideally people should 
ignore that advice as self serving, but in practice it encourages them 
to always accept similar advice from less trustworthy sites.

Most browsers will let you install single exception certificates, so if 
there is a specific site that you really trust (either because you have 
authenticated it by other means, or because you consider it low risk) 
but has an unknown certifier, you should install the certificate for the 
individual site, not for the unknown certifier.

It's not like installing a missing library, to enable a package to run, 
it is actually saying that you trust the certifier to properly 
authenticate the subjects.  The site will actually run without that 
certificate.

I did install the CACert one on my home use only system when my ISP used 
it, but I would not consider doing that for systems that I also used for 
work, and, for example, installed a server level certificate for the 
ISP's email server in the home Windows machines, which were occasionally 
used for work.

Actually I would expect the name on their root certificates, the generic 
"Root CA" to send warning bells to anyone who was security conscious, 
but not already familiar with them.



More information about the questions mailing list