[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-users] Savannah's x.509 certificate fingerprints
From: |
Sylvain Beucler |
Subject: |
Re: [Savannah-users] Savannah's x.509 certificate fingerprints |
Date: |
Wed, 20 Jun 2007 07:35:45 +0200 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
On Wed, Jun 20, 2007 at 03:30:04AM +0000, Taylor R Campbell wrote:
> Date: Wed, 20 Jun 2007 00:36:19 +0200
> From: Sylvain Beucler <address@hidden>
>
> Yes, the page had links to download outdated certificates from last
> year (the fingerprints are up-to-date).
>
> Thanks! I forgot to check the expiration dates on the certificates
> while I was examining them; that would have been a rather obvious
> tip-off.
>
> I fixed the page and added instructions on how to display/check the
> certificates using GnuTLS, and also how to extract the certificate out
> of the running server.
>
> Excellent, this is very helpful.
>
> There are a few HTML errors in that page now (or were there before):
>
> . mismatched <h2>Certificates</h1> at the top;
> . superfluous </a> in the list of certificates, in the entry for
> cvs.*gnu.org;
> . doubled, unclosed heading: <h2>Check for yourself!<h2>;
> . non-escaped angled-brackets in the GnuPG output surrounding email
> addresses -- `<address@hidden>' instead of `<address@hidden>' --
> and in shell examples -- `certool -i < savannah.gnu.org.crt' instead
> of `certool -i < savannah.gnu.org.crt'; and
> . doubled, unclosed anchor: <a href="...certtool.html">doc<a>.
>
> I can fix all this and send a corrected page if you'd like.
Thanks, I fixed them (and a couple others with use of HTML Tidy).
> Also, I wonder whether it might be worth mentioning that if the pages
> are downloaded with `curl', the authenticity of the server can be
> implicitly checked simply by specifying `ca.crt' with the `--cacert'
> option; that is, after fetching `ca.crt', one can run `curl --cacert
> ca.crt -O http://savannah.gnu.org/tls/....crt'. There may be a
> similar option for `wget', but I don't know.
You need to use https :) But well, I think people either already know
that or use Firefox/Konqueror/etc. to do so.
> Finally, it's a little confusing to have a file named
> `cvs.*gnu.org.crt', even though it works on Unix. I suspect that it
> may not work on Windows, but I don't know for certain -- haven't
> touched a Windows machine in over a decade! --, and I don't know
> whether you folks care about that. It can be mildly flummoxing to
> have to deal with escaping the asterisk in Unix shells, however.
I simplifies the script to have CN==filename :)
MS Woe users will probably be prompted with an edited filename before
saving it to disk.
--
Sylvain