WKD proper behavior on fetch error
Juergen Bruckner
juergen at bruckner.email
Mon Jan 18 12:07:04 CET 2021
Hello again Stefan
Am 17.01.21 um 22:27 schrieb Stefan Claas:
> On Sun, Jan 17, 2021 at 10:16 PM Juergen Bruckner via Gnupg-users
> <gnupg-users at gnupg.org> wrote:
>
> Hi Juergen.
>
>> Your showcase with github.io also says nothing else than that Sequoia
>> considers an invalid certificate to be correct. That this happens in
>> audited software says just as much about the value of the audit.
>
> Please try to accept that GitHub's SSL cert is *valid*, or do you think
> that a CA certifies and invalid cert?
>
[...]
For you to take notes:
The certificate used by github issued by the CA DigiCert Inc IS valid for:
- www.github.com
- github.com
- * .github.com
- github.io
- * .github.io
- githubusercontent.com
- * .githubusercontent.com
so that means the certificate MAY be valid for
- abc.github.io
but it MUST NOT be valid for
- foo.abc.github.com
This is stipulated in the guidelines of the CA / B forum to which all
CAs worldwide have to adhere. DigiCert Inc. is no exception.
So what some members have already said to you here applies.
Sequoia accepts an *invalid* certificate for the host
'foo.abc.github.io' and that is "failure by design".
That won't change if you claim the opposite a million times.
Best
Juergen
--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen at bruckner.email
/ \ Mail |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3894 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210118/870d7ca5/attachment.bin>
More information about the Gnupg-users
mailing list