[TYPO3-typo3org] Signed SSL-certificate

[Michael Stucki]

Hi folks,

>> How can I be sure that cacert.org is good and secure?
> 
> How can you be sure with other certificate authorities? The requirements to
> get a certificate are far less on several authorities included in all
> browser than they are with CAcert.

At this point someone may explain the difference between verification
and extended verification (as promoted by VeriSign) to me:
http://www.verisign.ch/ssl/buy-ssl-certificates/secure-site-services/index.html

To me this sheet leaves the impression that a normal certificate is not
completely trustable. (2 of 3 stars may be interpreted as 2 out of 3
verifications are correct?!)

Besides this, I doubt that any 100$ certification issuer has equal
verification standards as those which are more expensive.

So are we talking about security or blue icons in the browser bar?

Here is some more stuff about incidents in the history of secure web
browsing:
- CA of the Chinese government added to Windows, Macintosh and Firefox
systems: http://www.imminentweb.com/technologies/remove-cnnic-ca
- VeriSign mistakenly issues in Microsoft's name:
http://news.cnet.com/2100-1001-254586.html

Those are the super-embarrassing issues, but I assume there will be many
similar issues which will never be discovered.

Finally, I recommend to read the following article which basically
claims that none of these efforts are actually safe:
http://lair.fifthhorseman.net/~dkg/tls-centralization/

Bottomline: Forget about it, as it's not worth the effort. I agree that
a note on typo3.org is helpful and have added it at these locations:
https://svn.typo3.org/README
https://typo3.org/community/your-account/ssl-certificate/

- michael