[Info-vax] forum.vmssoftware.com/

Mon Sep 11 12:09:39 EDT 2023

On 11/09/2023 15:59, bill wrote:
> On 9/11/2023 10:06 AM, Johnny Billquist wrote:
>> On 2023-09-11 10:02, David Wade wrote:
>>> On 11/09/2023 03:34, Arne Vajhøj wrote:
>>>> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>>>>> There is something going on with that site.
>>>>>
>>>>> I tried again.
>>>>>
>>>>> FF gives cert revoked every time now.
>>>>>
>>>>> Chrome works. And say that cert expire Tuesday, September 19, 2023 
>>>>> at 7:59:59 PM.
>>>>
>>>> I tried via work.
>>>>
>>>> Chrome works.
>>>>
>>>> FF does not work but gives a different error:
>>>>
>>>> "Bad Server Certificate" and certificate expiration is 11-Nov-2284 
>>>> 07:08:23.
>>>>
>>>> WTF??
>>>>
>>>> Arne
>>>>
>>>>
>>> Every certificate contains a URL for a certificate revocation list 
>>> (CRL). So if a certificate is compromised, for example because its 
>>> private key is stolen, it can be revoked.
>>
>> What kind of broken scheme is that? You get an URL and are supposed to 
>> check if something is ok based on this? How hard would it be to direct 
>> that to somewhere else and fake things?
>>
>>> What you are seeing is the fact that Chrome and Edge don't check the 
>>> CRL but FF does
>>
>> Which is bad, but also shows how much you can trust certificates or 
>> sites, based on your browser approving of them.
>>
> 
> On this whole certificate thing.  I have never understood why I am
> expected to trust a certificate issued by someone I don't know and
> have no reason to trust in the first place.
> 

How else would you arrange things?

> If you think that certificate someone gave you is really secure take
> a look at recent papers about a safe manufacturer who gave the
> government a code that opens every safe they have sold.  Are you
> sure there isn't a back door for your certificate?  

Look at the uproar in the UK when the government recently asked for 
this. If there were back doors the bad guys would have figured them out 
and the world would be a different place.

Consider the case of TSA locks on suitcases. Its now totally pointless 
locking a bag or case on a USA flight as every scroate owns a set of TSA 
keys and so both the good guys and the bad guys can get in.

> Do you trust that
> the issuer wouldn't give it to someone other than you?
> 

Well as an end user I don't have a certificate. When I accept an SSL 
session I still trust in the certificate owner and the certificate 
issuers i.e. the web site to keep their private keys private.

The issuer can give the rest of my certificate to the world. Every web 
site does that whenever you initiate an SSL session. What they don't 
give out is the associated private key, the secret part of the exchange.

The certificate issuer can't give that out, they never have it, is never 
seen by the certificate issuer so they can't give it to any one else. Of 
course if some one could determine my private key from my public key 
then the could duplicate the certificate. This means as computing speeds 
advance, the key lengths need to increase....

> bill
> 
> 

Dave