Thunderbird and Pretty Easy Privacy - current status

Gervase Markham gerv at mozilla.org
Mon Feb 29 11:32:13 UTC 2016


On 26/02/16 16:47, Nathan Tuggy wrote:
> It’s a sad day when privacy-oriented, bug-savvy Thunderbird contributors
> can’t recognize a CAcert <http://www.cacert.org/>-signed website.

If you don't have the CAcert root installed in your browser, then how do
you _know_ it's a CAcert-signed website? It says it is in the cert, but
anyone (CAcert or not) can create a cert that says that. The only way to
tell is if it chains up to the CAcert root.

This is the whole point of trust anchors. If you are saying that it's
safe to "recognise" a CAcert-signed website by looking for "CAcert" in
the certificate with an unknown issuer, than you've missed the point of PKI.

Gerv


More information about the tb-planning mailing list