From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1ReAjt-00068Y-2K for garchives@archives.gentoo.org; Fri, 23 Dec 2011 19:25:09 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A545A21C175; Fri, 23 Dec 2011 19:24:45 +0000 (UTC) Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 3C59421C0BD for ; Fri, 23 Dec 2011 19:23:31 +0000 (UTC) Received: by werm12 with SMTP id m12so5056580wer.40 for ; Fri, 23 Dec 2011 11:23:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=js7glR9hmH1H9kcFIi8dL3BgrXzl3lOGOUPKohyfyGc=; b=XYlgAILk8p4qx914TdRd2m70eoaPdS/KAL+mL6NmaqckCEk5qHWG1wO35LaBckb1+K xI7/pC+quFTpKKqXmdkooLRyXJPjj88mWBFbGQQtKLQWaY3fj4grE8luPZkyWMJCDd03 DS0Oj+qBGkL/U7qh+NxmqHg2NCAVUDwCmq/pg= Received: by 10.216.132.105 with SMTP id n83mr14064614wei.16.1324668210386; Fri, 23 Dec 2011 11:23:30 -0800 (PST) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by mx.google.com with ESMTPS id z5sm34112403wix.5.2011.12.23.11.23.29 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 23 Dec 2011 11:23:29 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Re: Accepting as trusted b.g.o. certificates [was: From where the word 'gentoo' came?] Date: Fri, 23 Dec 2011 19:23:13 +0000 User-Agent: KMail/1.13.7 (Linux/3.0.6-gentoo; KDE/4.6.5; x86_64; ; ) References: In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1856689.cC0k3WNrPD"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201112231923.31309.michaelkintzios@gmail.com> X-Archives-Salt: ffdd689a-d501-4dbc-86cf-2f56c71a4287 X-Archives-Hash: 478b4648c0e0183cea0784600aa57070 --nextPart1856689.cC0k3WNrPD Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Thursday 22 Dec 2011 06:26:53 LinuxIsOne wrote: > On Wed, Dec 21, 2011 at 12:50 PM, Nikos Chantziaras wro= te: > > So it's either add cacert.org to your trusted authorities, or live in > > hell when browsing b.g.o. IMO that's just stupid. I want to trust just > > b.g.o, not every site out there that has a cacert certificate. >=20 > Okay so how do I add only b.g.o of the cacert.org and not others? Can > you tell me the step by step process? A browser (e.g. Firefox) will pop up a warning that the particular website= =20 (b.g.o.) certificate or the CA root certificate that has signed the website= =20 certificate is not trusted. Under Technical Details it says: =20 "sec_error_untrusted_issuer" So FF does not 'trust' CACert as the issuer of legitimate certificates, bec= ause=20 CACert's root certificate is not stored in FF's list of SSL Certification=20 Authorities. If you go to Preferences/Advanced/Encryption/View=20 Certificates/Authorities, you'll see that CACert is not in there. At that moment you need to click on the relevant buttons of the warning=20 message and ask the browser to accept the certificate. There should also b= e=20 some tick box asking the browser to store the certificate as trusted=20 permanently. If you click to add this exception permanently you can click on View to see= =20 the details of the SSL certificate chain. There are 3 certificates in the= =20 bundle: 1. CA Cert Signing Authority The details tell you that this is the Root CA (self-signed). This is used = to=20 sign the second certificate. 2. CAcert Class 3 Root The details tell you that this is a Class 3 Root certificate which is used = in=20 turn to sign the b.g.o. website certificate. 3. bugs.gentoo.org This is the website certificate signed by 2 above. Now if you click to permanently store the b.g.o. certificate, FF will store= not=20 just certificate number 3, but the complete chain of signatory certificates= =2E =20 You can examine these if you go to View Certificates and then Servers. However, this chain of certificates does not implicitly trust certificates = 1 and=20 2 above - unless you import these from the CACert website. In that case th= ey=20 will show under the tab called Others, because you have imported these=20 yourself. Having done that, then any website that has a certificate signed= by=20 CACert will be accepted automatically and you won't be warned out the Issue= r=20 not being a Trusted CA. Not all browsers are the same or choose to behave the same way on this matt= er,=20 but these are the basic principles. =2D-=20 Regards, Mick --nextPart1856689.cC0k3WNrPD Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEABECAAYFAk701TMACgkQVTDTR3kpaLYIiQCeMEMjs0n6PaHYvpEUDzySCCWl Ta8AnRwxAHPT5NRX9XdiGu6Xyo6mmVcb =5jpV -----END PGP SIGNATURE----- --nextPart1856689.cC0k3WNrPD--