[TYPO3-typo3org] Signed SSL-certificate

Michael Stucki michael at typo3.org
Mon Feb 22 15:09:47 CET 2010

Hi folks,

>> How can I be sure that cacert.org is good and secure?
> How can you be sure with other certificate authorities? The requirements to
> get a certificate are far less on several authorities included in all
> browser than they are with CAcert.

At this point someone may explain the difference between verification
and extended verification (as promoted by VeriSign) to me:

To me this sheet leaves the impression that a normal certificate is not
completely trustable. (2 of 3 stars may be interpreted as 2 out of 3
verifications are correct?!)

Besides this, I doubt that any 100$ certification issuer has equal
verification standards as those which are more expensive.

So are we talking about security or blue icons in the browser bar?

Here is some more stuff about incidents in the history of secure web
- CA of the Chinese government added to Windows, Macintosh and Firefox
systems: http://www.imminentweb.com/technologies/remove-cnnic-ca
- VeriSign mistakenly issues in Microsoft's name:

Those are the super-embarrassing issues, but I assume there will be many
similar issues which will never be discovered.

Finally, I recommend to read the following article which basically
claims that none of these efforts are actually safe:

Bottomline: Forget about it, as it's not worth the effort. I agree that
a note on typo3.org is helpful and have added it at these locations:

- michael

More information about the TYPO3-team-typo3org mailing list