Hi,
Am 25.10.2015 um 14:41 schrieb Arthur Peka:
In my understanding "invalid" includes "signed by untrusted authority". I'm no security expert, and for me browser reporting an invalid certificate is a red flag - I'll have a hard time figuring out that cacert.org http://cacert.org are in fact the "good guys". I believe, this can also turn away some contributors, who will think the page is abandoned/compromised, without looking into much details.
I'm aware of this and we dicussed it several times at some of our mailinglists. Untrusted != invalid. Unfortunately people don't want to understand this so browser developers decided to send in every case "OMG we are gonna die"-error warnings and hiding the option "I know what I'm doing". It's even getting hard and herder to ack a selfsigned certificate from release of release of browser. This is bad. Now in default it's easier to trust some company might forced by some gouverment or whoever (stock owners maybe) to sign a not valid certificate than to trust your very own self created certificate e.g. for your personal intranet. But this is another topic and off topic here.
As for let's encrypt - they reported several days ago that they are trusted by major browsers
https://helloworld.letsencrypt.org/ - it's trusted.
At least I'm aware of this and as Enrico mentioned we will go into process of update maybe soon. this was the big step I was referring to.
So tl;dr: There will be an update on this kind of soonish.
Cheers, Frank