On Wed, November 12, 2014 8:26 am, James B. Byrne wrote: > > On Tue, November 11, 2014 13:05, Alexander Farber wrote: >> And ignore the Chrome people getting >> the certificate warning at https://harte-lyne.ca too ;-) >> > > We operate our own CA. Yes, that is what I was doing for years too (till we got access to Certs paid by central university IT office). Mostly those who are harassing you on this list seem to have much less knowledge on each of the subjects than you do. It is just my observation. Not that I'm saying everybody using gmail, but, of course, knowledgeable ones do not make any noise. It somehow comes to my mind what I've heard once (not intended to offend anyone but if you think about it it carries some wisdom, - for me at least): "Never argue with the fool, or others will not notice any difference between you two". Valeri > If you 'TRUST' us then you can add the the root > cert > for our CA by visiting http://ca.harte-lyne.ca/CA_HLL_ISSUER_01/ca.crt > and > accepting the cert (presumably after reading the CP and CPS statements). > Then > the warning will disappear. If not then you can leave or proceed, > accepting > the exception permanently or not, as your inclination dictates. > > That web site is ancient and was designed for straight http access. It is > in > the process of revision but that is not in my hands and given past events > I > have no expectation of anything changing soon. We have since gone to > "https > everywhere" and thus the certificate is now an issue. Most of our sites > are > blocked to outside access or require authentication in any case. > > That said, the issue of Trusted certificates is problematic. In my > opinion, > the present state of the PKI CA's is in such disarray that anyone that is > counting on the 'Trusted' CA's that come pre-installed in browser packages > is > living in blissful ignorance of the underlying risks presented thereby. > Users > are rarely aware, or realise the implications, of the fact that any > 'Trusted' > CA can issue a valid certificate for ANY domain. Any browser that 'Trusts' > that CA will accept any site presenting said certificate as legitimate. > This > is the singular weakness of imposing a hierarchical requirement on top of > a > distributed solution. DNSSEC is representative of the alternative > approach > that I believe eventually will be adopted for all forms of network > identities, > including email. > > Our company policy at the moment does not properly address the Trusted CA > issue either; Other than we have set up and exclusively use our own CA > for > our own use. I am pushing to have all default trusted roots removed from > all > user's browsers and only approved roots added back. This is not feasible > at > the present time because of the lack of any automated tool (of which I am > aware and that is FLOSS) to enforce it. > > For that matter, we are still waiting for our registrar to support DNSSEC, > for > which we have been ready since early 2012 and the .ca. registrar since > 2013. > > > -- > *** E-Mail is NOT a SECURE channel *** > James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos