Valid vs Invalid SSL certificates - Was: Re: ISPDB configs without STARTTLS and/or SSL
tanstaafl at libertytrek.org
Wed Jan 23 13:37:10 UTC 2013
Thanks very much for the detailed explanation.
While I understand the reasoning, I'm *very* interested in your response
to ace's last reply about how the use of the Certificate Patrol
extension combined with a properly installed self-signed cert is
actually more secure than using a trusted cert issued by a CA (without
the Cert Patrol extension installed)...
And again... I absolutely don't mind the current state of 'annoying' for
adding an exception (it is vastly superior to Outlooks method), and even
agree with the idea of changing the default option to *permanently*
store a self-signed cert to unchecked, as long as it is still only a few
clicks to add the exception.
Also, it sounds like, in your last comment about 'certificate pinning',
that you are describing a similar but less functional method for dealing
with changed certs than Cert Patrol uses... so, why not just incorporate
its functionality instead of reinventing the wheel?
More information about the tb-planning