[Users] Accepting certificates emitted by certificate authorities
Jérôme
jerome at jolimont.fr
Mon Nov 11 22:24:43 CET 2019
Le Sat, 9 Nov 2019 09:01:29 -0000,
Paul <claws at thewildbeast.co.uk> a écrit :
> On Thu, 7 Nov 2019 22:15:28 +0100
> Jérôme <jerome at jolimont.fr> wrote:
>
> > IIUC, this will accept all valid certificates, in other words I
> > wouldn't be notified if a self-signed certificate was modified,
> > which is not really what I intended.
>
> You don't understand correctly. Claws Mail checks against the CA
> stores at any or all (depending on what's available on your system)
> of the following locations:
Great.
Rephrasing to be sure I understand correctly.
When the checkbow is not ticked, claws-mail will always notify on cert
change. When it is ticked, it will silently accept certificates that
are valid according to one of the CA stores found in the system, but it
will still notify about new self-signed certs (in fact, any cert that
is not signed by a CA corresponding to the stores found on the system).
This is exactly what I need.
I guess I was in doubt because
- "valid" is ambiguous to me, perhaps because I'm not familiar
enough with SSL certificates. I assumed it meant structurally valid,
like, not just plain giberrish, but a well-formed certificate, even
self-signed.
- Now that I understand how this feature works, I think it would make
sense to activate it (tick the checkbox) by default. Having to opt-in
gave me the feeling I was doing something potentially slightly
insecure.
Anyway, thank you Paul for the explanation.
Have a nice day.
--
Jérôme
More information about the Users
mailing list