search for: diginotar

...cing a snakeoil cert with one from Let's Encrypt. > > [rest of ignorant rant trimmed] Some facts for you, as obviously you have not understood what a CA is worth that is compromised by either hackers or "authorities". If you want to know more, read articles about closing of CA DigiNotar, like: https://en.wikipedia.org/wiki/DigiNotar Then read US export laws concerning security devices. Then judge your US-issued certs... > Phil -- MfG, Stephan von Krawczynski ------------------------------------------------------ ith Kommunikationstechnik GmbH Lieferanschrift : Reiterst...

On Thu, 14 Mar 2019 12:13:15 +0100 "Guido Goluke, MajorLabel via dovecot" <dovecot at dovecot.org> wrote: > Op 14-03-19 om 11:46 schreef mick crane via dovecot: > > Excuse dopey question. > > I'm not exactly clear about certificates. > > Apache2 default install has this snake oil certificate > > Can make a new one for apache > > Can make one

...you run the same risk of entropy (incorrect documentation or records, no trained staff, no up to date procedures etc.) large companies have to deal with. Maybe if you had one person working full time on it, or an automated process handling things it would be more secure and reliable. > > Was diginotar the Dutch company, I think I remember that one. > > Sent from my iPhone > >> On 10 Aug 2017, at 08:18, Stephan von Krawczynski <skraw at ithnet.com> wrote: >> >> On Wed, 9 Aug 2017 08:39:30 -0700 >> Gregory Sloop <gregs at sloop.net> wrote: >>...

...from Let's Encrypt. > > > > [rest of ignorant rant trimmed] > > Some facts for you, as obviously you have not understood what a CA is worth > that is compromised by either hackers or "authorities". > If you want to know more, read articles about closing of CA DigiNotar, like: > https://en.wikipedia.org/wiki/DigiNotar > > Then read US export laws concerning security devices. > Then judge your US-issued certs... > > > Phil > I concur Stephan; I apologize to others if I seem ignorant. Just an FYI, a founder of Let's Encrypt, and host...

...ows large you run the same risk of entropy (incorrect documentation or records, no trained staff, no up to date procedures etc.) large companies have to deal with. Maybe if you had one person working full time on it, or an automated process handling things it would be more secure and reliable. Was diginotar the Dutch company, I think I remember that one. Sent from my iPhone > On 10 Aug 2017, at 08:18, Stephan von Krawczynski <skraw at ithnet.com> wrote: > > On Wed, 9 Aug 2017 08:39:30 -0700 > Gregory Sloop <gregs at sloop.net> wrote: > >> AV> So i?m using doveco...

...server > cert with] to all the connecting clients as a trusted CA. This way your self > signed cert would now be "trusted." > > [The details are left as an exercise to the reader. Google is your friend.] > > -Greg This was exactly the global thinking - until the day DigiNotar fell. Since that day everybody should be aware that the true problem of a certificate is not its issuer, but the "trusted" third party CA. This could have been known way before of course by simply thinking about the basics. Do you really think your certificate gets more trustworthy becaus...

...>entropy (incorrect documentation or records, no trained staff, no up to >date procedures etc.) large companies have to deal with. Maybe if you >had one person working full time on it, or an automated process >handling things it would be more secure and reliable. >> >> Was diginotar the Dutch company, I think I remember that one. >> >> Sent from my iPhone >> >>> On 10 Aug 2017, at 08:18, Stephan von Krawczynski <skraw at ithnet.com> >wrote: >>> >>> On Wed, 9 Aug 2017 08:39:30 -0700 >>> Gregory Sloop <gregs at...

...act that some sort of vetting was made to ensure that nobody could have issued a certificate for a domain they didn?t really control. But the later step is not very friendly to automation. And CAs can principally issue certificates for any domain - a fact brought home by the compromise of Dutch CA DigiNotar in the Fall 2011. Adding to the fact is a concentration-process in the industry that leads to fewer and fewer companies that know less and less of their customers. These days, a certificate just shows that the communication is encrypted. Whether the other endpoint is what it claims to be is of no...

...t; cert with] to all the connecting clients as a trusted CA. This way your self >> signed cert would now be "trusted." >> [The details are left as an exercise to the reader. Google is your friend.] >> -Greg SvK> This was exactly the global thinking - until the day DigiNotar fell. SvK> Since that day everybody should be aware that the true problem of a SvK> certificate is not its issuer, but the "trusted" third party CA. SvK> This could have been known way before of course by simply thinking about the SvK> basics. Do you really think your certific...

> > And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant > changing certs even with a long lived root may get old for your customers. Why? I have corporate systems on 2 year commercial CA signed certificates and personal servers on 90 day LetsEncrypt ones - my users of IMAP and SMTP have never ever noticed when I changed the certificates on any device. They

Hi all, Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs... Until now, we've been using self-signed certs with the following dovecot config: ssl = required ssl_cert = </etc/ssl/ourCerts/imap.pem ssl_key = </etc/ssl/ourCerts/imap_key.pem Now, I've created new keys/certs and the CSR, got the new

So i?m using dovecot, and i created a self signed certificate with mkcert.sh based on dovecot-openssl.cnf. The name in there matches my mail server. The first time it connects in mac mail however, it says the certificate is invalid and another server might pretend to be me etc. I then have the option of trusting it. Is this normal behaviour? Will it always be invalid if it?s not signed by a