On Wed, June 15, 2016 10:38 am, Warren Young wrote: > On Jun 15, 2016, at 9:02 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> > wrote: >> >> I do see WoSign there (though I'd prefer to avoid my US located servers >> have certificates signed by authority located in China, hence located >> sort >> of behind "the great firewall of China" - call me superstitious). > > That’s a perfectly valid concern. The last I heard, modern browsers > trust 1,100 CAs! Surely some of those CAs have interests that do not > align with my interests. > >> I do not see neither starttls.com nor letsencrypt.org between >> Authorities >> certificates. > > That’s because they are not top-tier CAs. > >> This means (correct me if I'm wrong) that client has to >> import one of these Certification Authorities certificates > > You must be unaware of certificate chaining: > > https://en.wikipedia.org/wiki/Intermediate_certificate_authorities Sorry, intermediate authorities just slept off my mind somehow (to say worst: my server certificated _are_ signed by intermediate CA - shame on me ;-) Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++