Re: www.spi-inc.org uses an invalid security certificate

On 27/02/14 17:37, Jimmy Kaplowitz wrote:> On Thu, Feb 27, 2014 at 07:43:32AM +0000, TJ wrote:
>> Visiting spi-inc.org [2] I hit another issue with an invalid certificate being presented causing Firefox to warn "The certificate is not valid for any server names" (as well as certificate not
>> trusted). The certificate's Common Name is "members.spi-inc.org" and there are no Subject Alt Name hosts.
>>
>> How can we have trust in the CA when the CA itself cannot correctly manage its own certificates?
>
> While your empirical data is correct, your conclusion is not. There's no place
> in which we link to the main SPI website using that URL; it's intended to be
> viewed over unencrypted HTTP. The only SPI website which is meant for HTTPS
> access is members.spi-inc.org, which is correctly reflected in the SSL
> certificate.

If that is the intent then the URL I accessed should *not* be served over HTTPS at all.

My initial issue - the untrusted Debian certificate - stemmed from being referred to the Debian URL in order to check the Debian Linux kernel repository. I was not using a Debian host to do that, so
when the browser warned of certificate issues I followed the chain back to the CA.

Not having heard of SPI previously I wanted to verify the organisation's authenticity. Finding what seemed like an amateurish fault on the SPI host certificate too, my willingness to trust the CA was
greatly diminished.