Valid vs Invalid SSL certificates - Was: Re: ISPDB configs without STARTTLS and/or SSL
tanstaafl at libertytrek.org
Wed Jan 23 17:13:37 UTC 2013
On 2013-01-23 11:27 AM, Andrew Sutherland <asutherland at asutherland.org>
> I agree with Ace's statement, although I would probably qualify that
> with the statement that you really want to manually verify the hash of
> the key when first accepting it.
Good point, and what I meant by 'initially correctly installed'... ;)
> If the code [for the Certificate Patrol extension] is Apache 2.0
> licensed/compatible or the authors are willing to re-license,
> whatever code is reusable seems like a good thing to reuse. Judging
> from the AMO comments, it seems like the extension may have problems
> with server farms where not all machines use the same certificate, so
> it might not be a slam dunk and new code might need to be written to
> try and generalize the certificate to a specific CA-chain before
> alerting, etc.
My ignorance level on the technical aspects leaves me unable to even
comment intelligently... ;)
> Another interesting Firefox certificate extension is convergence:
Looks very interesting, thanks....
A thought... maybe one of the core devs (whoever would be the overseer
of this part of the code) could contact the two extension authors, and
see about a collaborative effort to first combining them into a single
extension that supports both Ffox and Tbird, then resolve any
outstanding issues, with the ultimate goal in mind of accepting the code
into the core code once this is done?
More information about the tb-planning