On 07/09/16 00:07, A wrote:
Just as a quick point of note for anyone that might benefit.
I happen to be working certs right now myself. I discovered
letsencrypt.org a free certificate authority. Pretty nifty. That's all
we know. ;)
Anyone with the ability to understand the OpenSSL documentation, which
presumably includes all the Pidgin developers, can become a free
certificate authority. The difficulty is convincing browser and
operating system suppliers that you are actually checking the identity
of the people requesting the certificates properly, and, for Microsoft,
probably paying them a fee for inclusion.
Certificates aren't necessary for encryption; they are necessary to be
sure that the encrypted channel is going directly to the organisation to
which you think it is going without a man in the middle being able to
decrypt and re-encrypt it.
cacert.org is a much longer established free certificate authority, but
they are still not included in Microsoft systems. letsencrypt get into
Microsoft software because they are a second level authority, although
that begs the question as to why Microsoft should allow that, for a
public second level authority.
Whereas cacert document their trust model up front, I couldn't see
anything explaining the trust model for letsencrypt on a quick scan of
their site.
_______________________________________________
Support@pidgin.im mailing list
Want to unsubscribe? Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support