[GreenKeys] Oh! It’s a present from microsoft

[Justin Myers]

On Wed, Apr 24, 2019, at 08:28, Bob kb8tq wrote:
> The “chain of trust” on the certificate is the gotcha. If you log into a US military 
> site, it’s “not secure”. It’s HTTPS, but the certificate path is not one that the 
> commercial guys recognize,. The same thing gets you with most (if not all) of
> the “free” certificates. 

I've never had a validation problem with the Let's Encrypt certificates. More on their chain of trust for the curious: https://letsencrypt.org/certificates/

> Pile on the next layer and it’s even more silly.

Depends entirely on why you're encrypting the traffic in the first place.

If you're primarily interested in certification hierarchies (e.g., "this site actually is operated under the auspices of DoD"), then the chain absolutely is important, as are the validation techniques the certificate authorities use to issue the certificates in the first place (i.e., not just "do you control this domain?").

If you're primarily interested in privacy from third-party observers (e.g., people sniffing packets on a coffee shop's wireless network), then even a self-signed certificate (no chain of trust at all) will do the job.

I see Let's Encrypt as somewhere in the middle: especially useful for encryption for privacy's sake, but with just enough of a chain of trust in place that they don't raise security warnings in most consumer web browsers.
-Justin, AC0EV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/greenkeys/attachments/20190424/805b6c81/attachment.html>