[time-nuts] Febo.com SSL certificate expired

Bob Camp lists at rtty.us
Fri Oct 15 23:47:18 UTC 2010 

Hi

The issue is as much defective software as anything else. There simply aren't enough self signed situations out there to drive a problem up their solution list. 

The gotcha is the good old "but my software works with everything else". May be easy to get around that with the technically inclined. Not so much when the customer is mom.....

Bob


On Oct 15, 2010, at 7:00 PM, Magnus Danielson wrote:

> On 10/16/2010 12:08 AM, Bob Camp wrote:
>> Hi
>> 
>> It's a crazy world when it comes to self signed certs.
>> 
>> You have at least 5 OS's you need to consider (MS, Linux/FBSD, OS-X, I-OS, Android). You need to think about both browsers and mail clients. Each of those come from a half dozen sources on each platform. Then you have configuration options on each. That's a lot of combinations.
>> 
>> Each combo seems to have a different idea of what not to do when they see a self signed cert. If you want to be able to handle all of them, even "real" certs may have issues. There are indeed several common combo's that are a major pain with a self signed cert.
>> 
>> No, I didn't write any of the code with the problems in it. I also don't want to get into the details of what and where. This really isn't the forum for that sort of thing. I'm not out to bash any particular solution, only to point out that there are indeed issues.
> 
> Do handle part of the mess, we have setup our local root cert at the computer club, and then sign our server certs to that. I did a major overhaul on the infrastructure for that. It is still not "real" safety routines, but ah well. We provide a cert download which quickly solves the cert issue with most browser.
> 
> Seems to work for our myriad of server and client OSes and clients.
> 
> There is various ways to get "real" root certs, but depending on degree of uhm... safety... it may be argued of their capabilities. There is efforts to build a chain of trust for a stable free root cert, but it is so far nog included in any major browsers.
> 
> Essentially it's a mess. I'm only scratched the surface here.
> 
> Cheers,
> Magnus
> 
> _______________________________________________
> time-nuts mailing list -- time-nuts at febo.com
> To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
> and follow the instructions there.

More information about the Time-nuts_lists.febo.com mailing list