Re: exim4 SSL/TLS client: refusal to verify certificate

From: Jacob Anawalt (jacob_at_cachevalley.com)
Date: 10/04/03

  • Next message: Jacob Anawalt: "Re: Recommendations for donated machines" 
    Date: Sat, 04 Oct 2003 00:40:13 -0600
To: Debian-User <debian-user@lists.debian.org>

    Sebastian Kapfer wrote:
    > On Thu, 02 Oct 2003 03:40:07 +0200, Vineet Kumar wrote:
    >
    >
    >>Perhaps it's failing because it can't verify a certificate chain from a
    >>trusted root certificate? You might need to grab the thawte CA cert and
    >>append it to your tlscerts.out.
    >
    >
    > You are right. Exim doesn't even care about the server's certificate. When
    > I concatenate all Thawte root certs (from the ca-certificates package)
    > into tlscerts.out, Exim can derive the validity of the GMX certificate.
    >
    > I find that a bit strange, since I cannot see why I should trust Thawte
    > more than I trust my email provider, but so be it....
    >

    LOL. I agree with that.

    While _we_ don't trust Verisign or Thawte more than somone we deal
    directly with, the masses do because their browser came installed with
    thier root certificates. Why does exim use CA/X509 based certificates
    rather than OpenPGP ones? Probably because TLS was designed with X509/CA
    based certs . There was an internet draft for using OpenPGP keys and
    thus their trust model that according to the link I found that expired
    the first of this month:

    http://www.ietf.org/internet-drafts/draft-ietf-tls-openpgp-keys-03.txt

    The whole trust thing is funny. What does it take for me to get a
    Verisign Certificate? A business tax ID, preferably a Dun number, and a
    printed form on my business letterhead. There, now you can trust me to
    send your credit card numbers to. :P

    So, why do businesses pay them? Because they are afraid that people will
    get the browser alert warning them the certificate is not signed by a
    "trusted" authority. The CA owners and investors must laugh all the way
    to the bank every day. 

    --
Jacob
-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Jacob Anawalt: "Re: Recommendations for donated machines"

    Relevant Pages

    • Re: Cant install Thawte Certificate using Account Settings
      ... They expire in 2013. ... The two Thawte CA's show ... I try to select a certificate, and "Choose" just make the dialog go ... X509 expire in 2020-- different certs, ...
      (microsoft.public.mac.office.entourage)
    • Re: Thawte Digital Certificate Revocation List Issue
      ... > I am new to digital certificates and cannot get the Thawte certificate ... It's been awhile since I played with the Thawte certificates. ... Microsoft requires the cert ... CRL so Outlook doesn't know where to get ...
      (microsoft.public.security)
    • Re: Verify fail
      ... signature chain that leads back to a CA certificate that you trust. ... You need to install any CA certs necessary ... requiring successful TLS verification is your only choice. ...
      (comp.mail.sendmail)
    • Re: Signing applets to load from any server
      ... certificate which can be served from any host/domain? ... Are you sure that these 'specific domain' certs. ... even for Thawte. ...
      (comp.lang.java.programmer)
    • Re: Harassment by SSL Provider?
      ... > this may be a ploy by Thawte to generate additional business. ... If they were sending you an email about an SSL certificate acquired ... It is *very* important to renew your SSL certificate if you are going to ...
      (Security-Basics)