Re: uses an invalid security certificate

From: TJ <spi-inc(at)iam(dot)tj>
To: Jimmy Kaplowitz <jimmy(at)spi-inc(dot)org>
Cc: spi-general(at)lists(dot)spi-inc(dot)org
Subject: Re: uses an invalid security certificate
Date: 2014-02-27 20:48:35
Views: Raw Message | Whole Thread | Download mbox
Lists: spi-general

On 27/02/14 17:37, Jimmy Kaplowitz wrote:> On Thu, Feb 27, 2014 at 07:43:32AM +0000, TJ wrote:
>> Visiting [2] I hit another issue with an invalid certificate being presented causing Firefox to warn "The certificate is not valid for any server names" (as well as certificate not
>> trusted). The certificate's Common Name is "" and there are no Subject Alt Name hosts.
>> How can we have trust in the CA when the CA itself cannot correctly manage its own certificates?
> While your empirical data is correct, your conclusion is not. There's no place
> in which we link to the main SPI website using that URL; it's intended to be
> viewed over unencrypted HTTP. The only SPI website which is meant for HTTPS
> access is, which is correctly reflected in the SSL
> certificate.

If that is the intent then the URL I accessed should *not* be served over HTTPS at all.

My initial issue - the untrusted Debian certificate - stemmed from being referred to the Debian URL in order to check the Debian Linux kernel repository. I was not using a Debian host to do that, so
when the browser warned of certificate issues I followed the chain back to the CA.

Not having heard of SPI previously I wanted to verify the organisation's authenticity. Finding what seemed like an amateurish fault on the SPI host certificate too, my willingness to trust the CA was
greatly diminished.


Browse spi-general by date

  From Date Subject
Next Message Jimmy Kaplowitz 2014-02-27 23:32:46 Re: uses an invalid security certificate
Previous Message Jimmy Kaplowitz 2014-02-27 17:37:57 Re: uses an invalid security certificate