WKD proper behavior on fetch error

Juergen Bruckner juergen at bruckner.email
Mon Jan 18 12:07:04 CET 2021

Hello again Stefan

Am 17.01.21 um 22:27 schrieb Stefan Claas:
> On Sun, Jan 17, 2021 at 10:16 PM Juergen Bruckner via Gnupg-users
> <gnupg-users at gnupg.org> wrote:
> Hi Juergen.
>> Your showcase with github.io also says nothing else than that Sequoia
>> considers an invalid certificate to be correct. That this happens in
>> audited software says just as much about the value of the audit.
> Please try to accept that GitHub's SSL cert is *valid*, or do you think
> that a CA certifies and invalid cert?

For you to take notes:
The certificate used by github issued by the CA DigiCert Inc IS valid for:

   - www.github.com
   - github.com
   - * .github.com
   - github.io
   - * .github.io
   - githubusercontent.com
   - * .githubusercontent.com

so that means the certificate MAY be valid for
   - abc.github.io

but it MUST NOT be valid for
   - foo.abc.github.com

This is stipulated in the guidelines of the CA / B forum to which all 
CAs worldwide have to adhere. DigiCert Inc. is no exception.

So what some members have already said to you here applies.
Sequoia accepts an *invalid* certificate for the host 
'foo.abc.github.io' and that is "failure by design".

That won't change if you claim the opposite a million times.

/¯\   No  |
\ /  HTML |    Juergen Bruckner
  X    in  |    juergen at bruckner.email
/ \  Mail |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3894 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210118/870d7ca5/attachment.bin>

More information about the Gnupg-users mailing list