Re: exim4 SSL/TLS client: refusal to verify certificate
Sebastian Kapfer wrote:
On Thu, 02 Oct 2003 03:40:07 +0200, Vineet Kumar wrote:
Perhaps it's failing because it can't verify a certificate chain from a
trusted root certificate? You might need to grab the thawte CA cert and
append it to your tlscerts.out.
You are right. Exim doesn't even care about the server's certificate. When
I concatenate all Thawte root certs (from the ca-certificates package)
into tlscerts.out, Exim can derive the validity of the GMX certificate.
I find that a bit strange, since I cannot see why I should trust Thawte
more than I trust my email provider, but so be it....
LOL. I agree with that.
While _we_ don't trust Verisign or Thawte more than somone we deal
directly with, the masses do because their browser came installed with
thier root certificates. Why does exim use CA/X509 based certificates
rather than OpenPGP ones? Probably because TLS was designed with X509/CA
based certs . There was an internet draft for using OpenPGP keys and
thus their trust model that according to the link I found that expired
the first of this month:
The whole trust thing is funny. What does it take for me to get a
Verisign Certificate? A business tax ID, preferably a Dun number, and a
printed form on my business letterhead. There, now you can trust me to
send your credit card numbers to. :P
So, why do businesses pay them? Because they are afraid that people will
get the browser alert warning them the certificate is not signed by a
"trusted" authority. The CA owners and investors must laugh all the way
to the bank every day.