On Mon, 19 May 2014, 10:37:23 CEST, Simon Tennant <[email protected]> wrote:
> One problem I have noticed: > > - domains that use CACert certificates are problematic. > > Probably due to cacert being dropped from the trust chain. The site in > question went to a different registrar and everything works now. Yes, it is very unfortunate that the TLS forcing comes immediately after the mass removal of the only certificate provider who me and others use broadly. It has become the perfect advertisement campaign for a broken, costly CA system based on corporate trust rather than user trust. I have personally added the cacert.org root to my ca-certificates folder and removed the blacklisting on systems where such a thing was added by the package manager. That will continue to be necessary for communicating with @hethane.se. I'd hope to see others do this too, or simply implement some sort of TOFU policy which can understand new certs when they expire. Or are we all going to put our trust in StartCom from now on? ;) -- Mikael Nordfeldth XMPP/mail: [email protected]
