Valid vs Invalid SSL certificates - Was: Re: ISPDB configs without STARTTLS and/or SSL

Tanstaafl tanstaafl at libertytrek.org
Wed Jan 23 17:13:37 UTC 2013


On 2013-01-23 11:27 AM, Andrew Sutherland <asutherland at asutherland.org> 
wrote:
> I agree with Ace's statement, although I would probably qualify that
> with the statement that you really want to manually verify the hash of
> the key when first accepting it.

Good point, and what I meant by 'initially correctly installed'... ;)

> If the code [for the Certificate Patrol extension] is Apache 2.0
> licensed/compatible or the authors are willing to re-license,
> whatever code is reusable seems like a good thing to reuse. Judging
> from the AMO comments, it seems like the extension may have problems
> with server farms where not all machines use the same certificate, so
> it might not be a slam dunk and new code might need to be written to
> try and generalize the certificate to a specific CA-chain before
> alerting, etc.

My ignorance level on the technical aspects leaves me unable to even 
comment intelligently... ;)

> Another interesting Firefox certificate extension is convergence:
> http://www.convergence.io/index.html

Looks very interesting, thanks....

A thought... maybe one of the core devs (whoever would be the overseer 
of this part of the code) could contact the two extension authors, and 
see about a collaborative effort to first combining them into a single 
extension that supports both Ffox and Tbird, then resolve any 
outstanding issues, with the ultimate goal in mind of accepting the code 
into the core code once this is done?



More information about the tb-planning mailing list