Date: Mon, 21 Oct 2002 17:38:30 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Dan Langille <dan@langille.org> Cc: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz>, freebsd-chat@FreeBSD.ORG Subject: Re: Verisign, Thawte, Entrust, whom? Message-ID: <3DB49E06.9E2B65D2@mindspring.com> References: <3DB45C94.9163.204D73AE@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Dan Langille wrote: > > The canonical answer for HTTPS: has to be: > > > > "Whatever vendors whose top level authorities are installed > > by default in both IE and Netscape" > > That will vary from version to version. Newer browsers have more CA > certs. > > When Terry mentions "vendors whose top level authorities" I think it > reflects the situation where a few companies have gotten around the > problem of not having aroot cert in IE/Netscape by getting one of the > "established" CAs to sign an intermediate CA certificate for them. > See http://www.whichssl.com/faq/intermediates.html for a bit more > detail on the matter. Yes; just so. The problem of versions has to be "whatever versions you want to have people be able to use without a Dire Warning Of Impending Doom(tm) and/or a refusal to accept the certificate altogether". The natural answer to that is "I want it to work with all SSL capable browsers of any version". An interesting problem here is that a number of the intermediate certificates you mention have, in fact, expired, so as that bug is fixed, or as time goes on, the browsers will start issuing the Dire Warning...(tm) to users. Basically, any unexpected event which occurs during a supposedly secure transaction is the fault of your site, not the fault of the browser, as far as users are concerned (after all, it "works fine" with other certificated sites). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DB49E06.9E2B65D2>