In my understanding "invalid" includes "signed by untrusted authority". I'm no security expert, and for me browser reporting an invalid certificate is a red flag - I'll have a hard time figuring out that cacert.org are in fact the "good guys". I believe, this can also turn away some contributors, who will think the page is abandoned/compromised, without looking into much details.

As for let's encrypt - they reported several days ago that they are trusted by major browsers - https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html. Check https://helloworld.letsencrypt.org/ - it's trusted.

BR,

Artur.

On Sun, Oct 25, 2015 at 2:35 PM, Frank Lanitz <frank@frank.uvena.de> wrote:

Am 25.10.2015 um 13:17 schrieb Arthur Peka:
>
> some may have already said it, but certificate
> on https://lists.geany.org is invalid. I guess the one from Let's
> encrypt could be used (which now seems to be trusted)?

They did a huge step forward, but AFAIK not yet done. By now we are
using CAcert and the certificate is not invalid only because your
browser doesn't know the CAcert root certificates¹. It's just untrusted.

However, the plan is, once the are real online we think about migration.

Cheers,
Frank

¹ http://www.cacert.org/index.php?id=3

P.S. Sorry, if this might sounded root. Not sure. Wasn't intended. SSL
is not just the green lock symbol, it's more. Even an selfsigned
certifcate can, well in most cases it is if you check fingerprints, be
more trustworthy than a signed one.

_______________________________________________
Devel mailing list
Devel@lists.geany.org
https://lists.geany.org/cgi-bin/mailman/listinfo/devel