[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

Sat Apr 19 08:20:39 UTC 2014

Am 19.04.2014 09:58, schrieb Stephan von Krawczynski:
> On Sat, 19 Apr 2014 09:40:07 +0200
> Reindl Harald <h.reindl at thelounge.net> wrote:
> 
>> it is working, it is working as good as it can and if you compare the
>> costs of 130 € for 3 years with support calls because self signed
>> certificates and do a *real harm* by train ordinary users to ignore
>> warnings just guess which way works
>>
>> honestly if i connect to a server owned by a company coming
>> with a self-signed certificate without got told so before
>> i get alarmed that they may not be trustworthy because if they
>> save the little money for the cert i may assume they save money
>> on other important things too
> 
> Honestly, with your awareness of "as good as it can" wouldn't it be fair to
> tell people that they spend millions all over the planet for something that is
> not working? How can you expect the situation to get any better if you cover
> the problem by buying certs only for the reason to avoid warnings that are
> useless anyways?

how can you expect it get's better by self signed certificates
and train users to "ignore warnings because they are useless"

you can do that for your pet's homepage where you know any
visitor in person but not for the world

what you achieve is they ignore all other warnings too because
guys like you told them "warnings are useless"

> You know things go wrong and still do support it. I think one should have
> learned in the after-Snowden-era where this leads to

and where does it lead to trigger warnings all over the planet and train
people to ignore them? in case of a mailserver that's not a real big
problem because they amount of users is limited

on a public website it is insane to present a browser warning as welcome message

if there is a working replacement, widely supported by client-software
and useable or the ordinary enduser - fine - let us adopt it - until
that does not exist you are talking bullshit

well, i have an offer for you:
you pay the support calls caused by certificate warnings, you pay also the
harm of other ignored warnings as result of train monkeys, you go out and
make *every* enduser to a tech person understand certificates and SSL before
and after that we all start to drop CA certificates

deal?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140419/87be511f/attachment.sig>