Hi,
Am 25.10.2015 um 14:41 schrieb Arthur Peka:
> In my understanding "invalid" includes "signed by untrusted authority".
> I'm no security expert, and for me browser reporting an invalid
> certificate is a red flag - I'll have a hard time figuring out
> that cacert.org <http://cacert.org> are in fact the "good guys". I
> believe, this can also turn away some contributors, who will think the
> page is abandoned/compromised, without looking into much details.
I'm aware of this and we dicussed it several times at some of our
mailinglists. Untrusted != invalid. Unfortunately people don't want to
understand this so browser developers decided to send in every case "OMG
we are gonna die"-error warnings and hiding the option "I know what I'm
doing". It's even getting hard and herder to ack a selfsigned
certificate from release of release of browser. This is bad. Now in
default it's easier to trust some company might forced by some
gouverment or whoever (stock owners maybe) to sign a not valid
certificate than to trust your very own self created certificate e.g.
for your personal intranet. But this is another topic and off topic here.
> As for let's encrypt - they reported several days ago that they are
> trusted by major browsers
> - https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html. Check
> https://helloworld.letsencrypt.org/ - it's trusted.
At least I'm aware of this and as Enrico mentioned we will go into
process of update maybe soon. this was the big step I was referring to.
So tl;dr: There will be an update on this kind of soonish.
Cheers,
Frank