On Fri February 25 2011, John R Pierce wrote: > On 02/25/11 4:28 PM, David Schwartz wrote: > > On 2/25/2011 11:59 AM, Michael S. Zick wrote: > >> On Fri February 25 2011, Ricardo Custodio wrote: > >>> Veja www.icp.edu.br > >>> > >> > >> Interesting, I get a "server certificate fails authentication" > >> from the above address. > > > > You haven't chosen to trust the CA that issued it. > > > >> Keep in mind that when the person offering advice can't get it right. > >> . . . > > > > How is your decision not to trust the CA he chose to use a mistake on > > his part? >
See below. > the root certificate in question is not in either Google Chrome's list > of CAs, or in Mozilla Firefox's list. > > "AC-SSL da ICPEDU" is the Root CA, issuing a certificate to www.icp.edu.br > > The Root Certificate appears to be one locally generated... > > CN=AC-SSL da ICPEDU > S=Distrito Federal > C=BR > E=go...@icp.edu.br > O=ICPEDU > O=RNP > L=Brasilia > > with an issuer statement... > > Os certificados da ICPEDU sao para uso exclusivo por instituicoes > brasileiras de ensino e pesquisa, e nao tem eficacia probante. > > which iGoogle roughly translates as... > > Certificates of ICPEDU are for exclusive use by institutions of > higher education and research, and has no probative efficacy. > Nice review John, much better than I did from first impressions. > So basically, this is pretty close to self-signed. > Evidently designed to work within a closed (or small, pre-defined) group and working exactly as designed and intended. > > Generation of a negative user impression when used outside of that group, which also may or may not be as intended; The server is redirecting scheme http to scheme https; When encountering a partial URI without a scheme, many browsers assume scheme http; So the partial URI post (often) works like: partial URI -> http -> server redirect to https -> negative impression Which might have been the poster's intent or a simple oversight in assuming the server was configured to serve the general public as http. In my post it is the creation of a "negative impression" which might be a "mistake" not anything to do with the handling of secure communications. My bad for not being clearer. Mike > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org