Valid vs Invalid SSL certificates - Was: Re: ISPDB configs without STARTTLS and/or SSL

Tanstaafl tanstaafl at
Wed Jan 23 13:37:10 UTC 2013

Hi Andrew,

Thanks very much for the detailed explanation.

While I understand the reasoning, I'm *very* interested in your response 
to ace's last reply about how the use of the Certificate Patrol 
extension combined with a properly installed self-signed cert is 
actually more secure than using a trusted cert issued by a CA (without 
the Cert Patrol extension installed)...

And again... I absolutely don't mind the current state of 'annoying' for 
adding an exception (it is vastly superior to Outlooks method), and even 
agree with the idea of changing the default option to *permanently* 
store a self-signed cert to unchecked, as long as it is still only a few 
clicks to add the exception.

Also, it sounds like, in your last comment about 'certificate pinning', 
that you are describing a similar but less functional method for dealing 
with changed certs than Cert Patrol uses... so, why not just incorporate 
its functionality instead of reinventing the wheel?

Thanks again,


More information about the tb-planning mailing list