On Wed, June 15, 2016 10:38 am, Warren Young wrote:
On Jun 15, 2016, at 9:02 AM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
I do see WoSign there (though I'd prefer to avoid my US located servers have certificates signed by authority located in China, hence located sort of behind "the great firewall of China" - call me superstitious).
Thatâs a perfectly valid concern. The last I heard, modern browsers trust 1,100 CAs! Surely some of those CAs have interests that do not align with my interests.
I do not see neither starttls.com nor letsencrypt.org between Authorities certificates.
Thatâs because they are not top-tier CAs.
This means (correct me if I'm wrong) that client has to import one of these Certification Authorities certificates
You must be unaware of certificate chaining:
https://en.wikipedia.org/wiki/Intermediate_certificate_authorities
Sorry, intermediate authorities just slept off my mind somehow (to say worst: my server certificated _are_ signed by intermediate CA - shame on me ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++