Re: www.spi-inc.org uses an invalid security certificate

From: TJ <spi-inc(at)iam(dot)tj>
To: Jimmy Kaplowitz <jimmy(at)spi-inc(dot)org>
Cc: spi-general(at)lists(dot)spi-inc(dot)org
Subject: Re: www.spi-inc.org uses an invalid security certificate
Date: 2014-02-27 20:48:35
Message-ID: 530FA4A3.9070506@iam.tj
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: spi-general

On 27/02/14 17:37, Jimmy Kaplowitz wrote:> On Thu, Feb 27, 2014 at 07:43:32AM +0000, TJ wrote:
>> Visiting spi-inc.org [2] I hit another issue with an invalid certificate being presented causing Firefox to warn "The certificate is not valid for any server names" (as well as certificate not
>> trusted). The certificate's Common Name is "members.spi-inc.org" and there are no Subject Alt Name hosts.
>>
>> How can we have trust in the CA when the CA itself cannot correctly manage its own certificates?
>
> While your empirical data is correct, your conclusion is not. There's no place
> in which we link to the main SPI website using that URL; it's intended to be
> viewed over unencrypted HTTP. The only SPI website which is meant for HTTPS
> access is members.spi-inc.org, which is correctly reflected in the SSL
> certificate.

If that is the intent then the URL I accessed should *not* be served over HTTPS at all.

My initial issue - the untrusted Debian certificate - stemmed from being referred to the Debian URL in order to check the Debian Linux kernel repository. I was not using a Debian host to do that, so
when the browser warned of certificate issues I followed the chain back to the CA.

Not having heard of SPI previously I wanted to verify the organisation's authenticity. Finding what seemed like an amateurish fault on the SPI host certificate too, my willingness to trust the CA was
greatly diminished.

Responses

Browse spi-general by date

  From Date Subject
Next Message Jimmy Kaplowitz 2014-02-27 23:32:46 Re: www.spi-inc.org uses an invalid security certificate
Previous Message Jimmy Kaplowitz 2014-02-27 17:37:57 Re: www.spi-inc.org uses an invalid security certificate