[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSM certificate prompt

From: Michael Albinus
Subject: Re: NSM certificate prompt
Date: Sat, 13 Dec 2014 18:06:37 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)

Eli Zaretskii <address@hidden> writes:

> If I do the same for savannah.gnu.org in IE, it shows the following
> certification path:
>    UTN-USERFirst-Hardware
>     Gandi Standard SSL CA
>      savannah.gnu.org
> Emacs's eww prompts me about https://savannah.gnu.org and shows me
> this information about its certificate:
>   Certificate information
>   Issued by:          Gandi Standard SSL CA
>   Issued to:          Domain Control Validated
>   Hostname:           savannah.gnu.org
>   Public key:         RSA, signature: RSA-SHA1
>   Protocol:           TLS1.0, key: RSA, cipher: AES-128-CBC, mac: SHA1
>   Security level:     Medium
>   Valid:              From 2014-03-05 to 2015-03-05
>   The TLS connection to savannah.gnu.org:443 is insecure for the
>   following reasons:
>   certificate signer was not found (self-signed)
>   certificate could not be verified
> which also talks about Gandi Standard SSL CA.  So I wonder why GnuTLS
> isn't happy with this, while MS IE is.  Am I missing something?

Likely for the same reason as Firefox: it knows the certificate(s) which
have been used for signing "Gandi Standard SSL CA". In your case, it is

In Firefox, the chain is shown as

  AddTrust External CA Root
    Gandi Standard SSL CA

One hop more ...

> (Please be gentle: I know nothing about Internet security and
> certificates.)

Not a big deal: Every certificate must be signed by another one
(certificate authority, or CA), which gives you the trust that this
certificate is valid. The CA certificate must be signed ("guarantee that
it is true") by another one, and so on. This is called a chain of trust.

In order not to create an infinite chain, there are so-called Root CAs,
which are "known by default". If any chain ends in such a root
certificate, you know that the initial certificate is true.

The problem is to distribute and maintain such root
certificates. Browsers have them built-in, but I don't believe Emacs
(eww) shall do so.

Best regards, Michael.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]