Comments on: New SSL Certificates

By: Scott C

Scott C — Wed, 09 Feb 2011 01:57:59 +0000

Sorry Matthew – Freudian Slip – The correct name is Project ‘Gatekeeper’ not Project ‘Gateway’…but I would not go poking too far above normal browsing ….lol – Happy to talk over email any time mate!

By: Scott C

Scott C — Mon, 07 Feb 2011 21:20:09 +0000

Mathew,
I think I may regret typing this.
My Country runs ALL of its total .GOV.MIL.??? – Browser,Email – the whole PKI if you will – Its no secret that it is called project “GATEWAY” and I know I am going to regret this but…
think of me as writing the whole PKI Book on the Subject – Someone had to teach the teachers.

Give my email address I enclose a hit or two if you want to talk on this Subject – Otherwise please dont use this address…thanks – I think I will throw up now…lol…:-)

I am GMT+10 and can get setup for IRC…IF you need a little bit of help I will happily help BUT …Don’t bother with countless RFC’s – As the issue of trust on the Net was an afterthought. many RFC’s had to have back dated changes, and as such, are as clear as mud and almost contradict themselves….Scott C

By: MatthewEhle

MatthewEhle — Mon, 07 Feb 2011 16:38:52 +0000

Ah, I see where you are going. I agree with you completely, but I wish I knew more about what they do now. Maybe a good discussion to bring up on the IRC channel :)

By: Scott C

Scott C — Mon, 07 Feb 2011 04:42:36 +0000

Thank you that – My concern was not with your servers update of new Trust, however as a matter of course both Enterprise Linux and Open.

Without continued validity of Certification and Revocation and valid trust certificates being auto updates- any browsers and all moneyart transactions ae based on trust.

The whole ABSENCE issue of trust certificates and SSL CERTIFICATES COMPLETELY COLLAPSES.

without transparent up to day trust and revocation as a big windows will open by E/bay saving he user is not trusted – Your very good with certificates Matthew; Enterprise I amuse is perfect – we just utilise the same inspection of the expiry/revocation/ no longer to guarantee trust type certificate that that simple issue – frightens the stuffing’s out of me to say the Least :-) Scott C

By: MatthewEhle

MatthewEhle — Mon, 07 Feb 2011 02:12:14 +0000

As far as I know, the SUSE releases that could be affected are well out of their support phase and probably would not be updating their certificate stores. Their list of trusted roots was extremely limited to begin with, which has been fixed in later versions of SUSE Linux.

As far as PGP certificates go, those are not affected in any way by this certificate change.

As mentioned in the original article, Firefox and other browser DO maintain their own certificate stores, they are updated through the browser updates, and they contain a much more comprehensive library of trusted roots. They should not be affected by this change at all (with the possible exception of Konqueror, which has a very limited trust store).

By: Scott C

Scott C — Sun, 06 Feb 2011 22:55:34 +0000

I would have thought that ALL root certificates and ALL trust Certificates OR Revocation, would come via normal OpenSuse Updater ! Yes/No??? – I think I feel sick…. :-(

I also thought that when required, auto refresh of any Repository, where their PGP Certificates OR Revocation would also auto update! Yes/No ???

I had also thought that FF or any Browser would auto update any Trust or SSL Certificates that was due to expire by date or revocation would also auto update by FF or other Browser’s or any other dependant application. However that is an issue for FF and all else. Yes/No???

By: MatthewEhle

MatthewEhle — Fri, 04 Feb 2011 18:02:12 +0000

As an additional note, we will be using a multi-SAN certificate in place of a wildcard for suse.de. This may also cause problems for very old systems, but this type of certificate has been part of the SSL standard for a number of years. We don’t anticipate any real problems coming from this.