On 27/02/14 17:37, Jimmy Kaplowitz wrote:> On Thu, Feb 27, 2014 at 07:43:32AM +0000, TJ wrote: >> Visiting spi-inc.org [2] I hit another issue with an invalid certificate >> being presented causing Firefox to warn "The certificate is not valid for >> any server names" (as well as certificate not >> trusted). The certificate's Common Name is "members.spi-inc.org" and there >> are no Subject Alt Name hosts. >> >> How can we have trust in the CA when the CA itself cannot correctly manage >> its own certificates? > > While your empirical data is correct, your conclusion is not. There's no place > in which we link to the main SPI website using that URL; it's intended to be > viewed over unencrypted HTTP. The only SPI website which is meant for HTTPS > access is members.spi-inc.org, which is correctly reflected in the SSL > certificate.
If that is the intent then the URL I accessed should *not* be served over HTTPS at all. My initial issue - the untrusted Debian certificate - stemmed from being referred to the Debian URL in order to check the Debian Linux kernel repository. I was not using a Debian host to do that, so when the browser warned of certificate issues I followed the chain back to the CA. Not having heard of SPI previously I wanted to verify the organisation's authenticity. Finding what seemed like an amateurish fault on the SPI host certificate too, my willingness to trust the CA was greatly diminished. _______________________________________________ Spi-general mailing list [email protected] http://lists.spi-inc.org/listinfo/spi-general
