[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exim4 SSL/TLS client: refusal to verify certificate

Sebastian Kapfer wrote:
On Thu, 02 Oct 2003 03:40:07 +0200, Vineet Kumar wrote:

Perhaps it's failing because it can't verify a certificate chain from a
trusted root certificate?  You might need to grab the thawte CA cert and
append it to your tlscerts.out.

You are right. Exim doesn't even care about the server's certificate. When
I concatenate all Thawte root certs (from the ca-certificates package)
into tlscerts.out, Exim can derive the validity of the GMX certificate.

I find that a bit strange, since I cannot see why I should trust Thawte
more than I trust my email provider, but so be it....

LOL. I agree with that.

While _we_ don't trust Verisign or Thawte more than somone we deal directly with, the masses do because their browser came installed with thier root certificates. Why does exim use CA/X509 based certificates rather than OpenPGP ones? Probably because TLS was designed with X509/CA based certs . There was an internet draft for using OpenPGP keys and thus their trust model that according to the link I found that expired the first of this month:


The whole trust thing is funny. What does it take for me to get a Verisign Certificate? A business tax ID, preferably a Dun number, and a printed form on my business letterhead. There, now you can trust me to send your credit card numbers to. :P

So, why do businesses pay them? Because they are afraid that people will get the browser alert warning them the certificate is not signed by a "trusted" authority. The CA owners and investors must laugh all the way to the bank every day.


Reply to: