[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NSM certificate prompt
From: |
Michael Albinus |
Subject: |
Re: NSM certificate prompt |
Date: |
Sat, 13 Dec 2014 18:06:37 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) |
Eli Zaretskii <address@hidden> writes:
> If I do the same for savannah.gnu.org in IE, it shows the following
> certification path:
>
> UTN-USERFirst-Hardware
> Gandi Standard SSL CA
> savannah.gnu.org
>
> Emacs's eww prompts me about https://savannah.gnu.org and shows me
> this information about its certificate:
>
> Certificate information
> Issued by: Gandi Standard SSL CA
> Issued to: Domain Control Validated
> Hostname: savannah.gnu.org
> Public key: RSA, signature: RSA-SHA1
> Protocol: TLS1.0, key: RSA, cipher: AES-128-CBC, mac: SHA1
> Security level: Medium
> Valid: From 2014-03-05 to 2015-03-05
>
>
> The TLS connection to savannah.gnu.org:443 is insecure for the
> following reasons:
>
> certificate signer was not found (self-signed)
> certificate could not be verified
>
> which also talks about Gandi Standard SSL CA. So I wonder why GnuTLS
> isn't happy with this, while MS IE is. Am I missing something?
Likely for the same reason as Firefox: it knows the certificate(s) which
have been used for signing "Gandi Standard SSL CA". In your case, it is
"UTN-USERFirst-Hardware".
In Firefox, the chain is shown as
AddTrust External CA Root
UTN-USERFirst-Hardware
Gandi Standard SSL CA
savannah.gnu.org
One hop more ...
> (Please be gentle: I know nothing about Internet security and
> certificates.)
Not a big deal: Every certificate must be signed by another one
(certificate authority, or CA), which gives you the trust that this
certificate is valid. The CA certificate must be signed ("guarantee that
it is true") by another one, and so on. This is called a chain of trust.
In order not to create an infinite chain, there are so-called Root CAs,
which are "known by default". If any chain ends in such a root
certificate, you know that the initial certificate is true.
The problem is to distribute and maintain such root
certificates. Browsers have them built-in, but I don't believe Emacs
(eww) shall do so.
Best regards, Michael.
- Re: NSM certificate prompt, (continued)
- Re: NSM certificate prompt, Lars Magne Ingebrigtsen, 2014/12/13
- Re: NSM certificate prompt, Michael Albinus, 2014/12/13
- Re: NSM certificate prompt, Eli Zaretskii, 2014/12/13
- Re: NSM certificate prompt, Lars Magne Ingebrigtsen, 2014/12/13
- Re: NSM certificate prompt, Eli Zaretskii, 2014/12/13
- Re: NSM certificate prompt, Lars Magne Ingebrigtsen, 2014/12/13
- Re: NSM certificate prompt, Michael Albinus, 2014/12/13
- Re: NSM certificate prompt, Ted Zlatanov, 2014/12/13
Re: NSM certificate prompt, Eli Zaretskii, 2014/12/13
Re: NSM certificate prompt, Eli Zaretskii, 2014/12/13
- Re: NSM certificate prompt,
Michael Albinus <=
- Re: NSM certificate prompt, Eli Zaretskii, 2014/12/13
- Re: NSM certificate prompt, Michael Albinus, 2014/12/13
- Re: NSM certificate prompt, Eli Zaretskii, 2014/12/13
- Re: NSM certificate prompt, Ted Zlatanov, 2014/12/13
- Re: NSM certificate prompt, Eli Zaretskii, 2014/12/13
- Re: NSM certificate prompt, Lars Magne Ingebrigtsen, 2014/12/13
- Re: NSM certificate prompt, Ted Zlatanov, 2014/12/13
- Re: NSM certificate prompt, Eli Zaretskii, 2014/12/13
- Re: NSM certificate prompt, Lars Magne Ingebrigtsen, 2014/12/14
- Re: NSM certificate prompt, Eli Zaretskii, 2014/12/14