On Seg, 03 Jan 2011, Eduardo M KALINOWSKI wrote:
2. Some linux distro's I see now do have certified https, like fedora which puts gpg fingerprints (SHA1) of their public keys on their certified website. 3. Other distros have md5 hashes over certified https, like ubuntu. (virtually a shared fourth place with debian)Do you trust Verisign or the issuer of the http certificate?
And also: if you trust them, are you sure the certificate you have in your machine for verification is the actual certificate?
You could go to the issuer's site and look for the fingerprint for verification. But how can you be sure that the fingerprint is legitimate? SSL can't help you here because of the chicken and egg problem.
-- All rights reserved. Eduardo M KALINOWSKI eduardo@kalinowski.com.br