> I can do that, however I am somewhat confused: > > Why are there no signatures or at least checksum files for these > certificates? Considering the importance of a certificate, what ensures > that the user is putting the right file on the device?
Well, if you download the certificate file from [1], then your browser actually verifies the certificate chain used by the letsencrypt.org website. And that chain itself contains the ISRG Root X1 cert. Hence, the certificate you are downloading is already trusted by your web browser, it is too late to do extra checks. [1] https://letsencrypt.org/certs/isrgrootx1.pem In fact, you could export the ISRG Root X1 cert from your web browser or operating system instead of downloading it again. And it would even be slightly safer in case someone hacks the HTTP server behind https://letsencrypt.org and substitutes the files there. As to checksum files, they are mostly useful when downloading larger files (e.g., software) from mirrors. A mirror relieves the original distribution site in serving the clients, but said clients can use the checksum from the original site to verify that the mirror owner is not doing something nasty. However, when both the checksum and the file are served from the same server, the checksum brings little benefit. One could wonder why an organization like Let's Encrypt is not offering a way to bootstrap trust in its x509 certs from PGP, for example. Maybe there would be too few ppl to benefit from it, since folks just get the certs with their OS / browser, anyway? And an attack on OS / browser developers themselves would be quickly spotted. Best! Wojtek -- W. Kosior website: https://koszko.org/koszko.html fediverse: https://friendica.me/profile/koszko/profile PGP fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A On Tue, 11 Nov 2025 09:32:59 -0000 John via Replicant <[email protected]> wrote: > Thank you, guys. > > I can do that, however I am somewhat confused: > > Why are there no signatures or at least checksum files for these > certificates? Considering the importance of a certificate, what ensures > that the user is putting the right file on the device? > _______________________________________________ > Replicant mailing list > [email protected] > https://lists.osuosl.org/mailman/listinfo/replicant
pgp31lOt7eViI.pgp
Description: OpenPGP digital signature
_______________________________________________ Replicant mailing list [email protected] https://lists.osuosl.org/mailman/listinfo/replicant
