Sebastian Kapfer wrote:
On Thu, 02 Oct 2003 03:40:07 +0200, Vineet Kumar wrote:Perhaps it's failing because it can't verify a certificate chain from a trusted root certificate? You might need to grab the thawte CA cert and append it to your tlscerts.out.You are right. Exim doesn't even care about the server's certificate. When I concatenate all Thawte root certs (from the ca-certificates package) into tlscerts.out, Exim can derive the validity of the GMX certificate. I find that a bit strange, since I cannot see why I should trust Thawte more than I trust my email provider, but so be it....
LOL. I agree with that.While _we_ don't trust Verisign or Thawte more than somone we deal directly with, the masses do because their browser came installed with thier root certificates. Why does exim use CA/X509 based certificates rather than OpenPGP ones? Probably because TLS was designed with X509/CA based certs . There was an internet draft for using OpenPGP keys and thus their trust model that according to the link I found that expired the first of this month:
http://www.ietf.org/internet-drafts/draft-ietf-tls-openpgp-keys-03.txtThe whole trust thing is funny. What does it take for me to get a Verisign Certificate? A business tax ID, preferably a Dun number, and a printed form on my business letterhead. There, now you can trust me to send your credit card numbers to. :P
So, why do businesses pay them? Because they are afraid that people will get the browser alert warning them the certificate is not signed by a "trusted" authority. The CA owners and investors must laugh all the way to the bank every day.
-- Jacob