ot: accepting self certs into win pc?

[Reindl Harald]

Am 24.06.2014 17:25, schrieb Patrick De Zordo:
>> -----Ursprüngliche Nachricht-----
>> Von: dovecot [mailto:dovecot-bounces at dovecot.org] Im Auftrag von
>> Stephan von Krawczynski
>> Gesendet: Dienstag, 24. Juni 2014 17:15
>> An: Patrick De Zordo
>> Cc: 'Dovecot Mailing List'
>> Betreff: Re: AW: ot: accepting self certs into win pc?
>>
>> On Tue, 24 Jun 2014 17:03:09 +0200
>> Patrick De Zordo <patrick at spamreducer.eu> wrote:
>>
>>> Don't use self signed certs! - Buy some, or use free services! Your
>> reputation will grow!
>>
>> I am sorry, but someone _has_ to say it: if anyone really thinks that a south
>> african or US entity selling certs is the way to "grow your reputation" this
>> alone should tell you that the whole thing is nothing but a bogus _business_.
>> It has zero to do with security or the like. It is a _business_ and it should be
>> obvious that you will only be lied by the corresponding entity if something
>> bad happened (probably for years). Look at the diginotar story and _learn_.
>>
> [De Zordo Patrick] 
> Basically true if using some "strange" certs providers. The cert providers proven 
> by big software companies should be the safe way

please stop to prove that you have no clue how certs are working

it does not matter who signed *your* cert
the problem is that any client trust *thousands* of CA's
*any* of them can sign to anybody a cert preteding he is you
you can't do anything against that

if someone gets a certificate for yourdomain.tld and manages
the client to connect to his server instead yours you have
no way to take notice, the user have no way to notice and
the game is over

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140624/691a46a9/attachment.sig>