2013-01-22 04:49:48.85314-08 by meuon 0 comments
So I've been trying to explain why a customer is having issues with their RapidSSL (Geotrust) certificate in technical terms. I gave up. Below is part of an actual email I sent them. I'm hoping it helps other lost souls.
Later tonight XXX time, I'll see if I can make things work better. The issue is what you had to add when you installed the latest cert. Remember adding:
That's the chaining part.
Lets put this in politically incorrect non-technical terms:
We all trust God. God's Certificate is installed in our browsers from the factory.
God says: I trust the Angel Michael.
So when we go to Angel Michael's website, we see God's seal of approval. We accept that, because God says Michael's site is real.
But Angel Michael is a little more lax in his seal of approval, it gets spread around a lot, and a Golgathan Demon convinces Michael to stamp him... (under duress... or false witness)
So when we go to the Demon's website, we see Michaels seal, and we can see that God trusts Michael, but we don't have Michael's stamp of approval in our trust circle.. And we don't convey God's trust of Michael into Michael's trust of a Demon.
Which is why some browsers (smart ones, actually) don't trust sites with an intermediate certificate. We want our trust directly from God himself. because Angels can be fickle beasts. Even God's favorite angel Satan went bad, and God revoked his trust certificate.
It's time to buy a certificate from God, directly. he ain't cheap. You can pick any God.. just pick one installed directly in most browsers. That's what you are paying for, God's word direct distribution network in the souls of your web browsers. The encryption part is easy. You can sign your own certificates, but no-one will trust that God automatically.
comments in ascending chronological order (reverse):
We will not edit your comments. However, we may delete your comments, or cause them to be hidden behind another link, if we feel they detract from the conversation. Commercial plugs are fine, if they are relevant to the conversation, and if you don't try to pretend to be a consumer. Annoying endorsements will be deleted if you're lucky, if you're not a whole bunch of people smarter and more articulate than you will ridicule you, and we will leave such ridicule in place.
Connectivity provided by highertech.net , awesome bandwidth, well away from fault lines and other potential for natural disasters, reliable, and run by cool people.
Questions, comments, flames: contact Dan Lyke
Flutterby™ is a trademark claimed byDan Lyke for the web publications at www.flutterby.com and www.flutterby.net.