<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html style="direction: ltr;">
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
    <style>body p { margin-bottom: 0cm; margin-top: 0pt; } </style>
  </head>
  <body style="direction: ltr;"
    bidimailui-detected-decoding-type="UTF-8" bgcolor="#ffffff"
    text="#000000">
    <br>
    -----BEGIN PGP SIGNED MESSAGE-----<br>
    Hash: SHA1<br>
    <br>
    i don't think certwatch does any deverification. as far as i know,<br>
    when it first goes on a site with cert, it will display this popup
    and<br>
    never again, unless the cert for that site changed (it caches the
    cert<br>
    in some way, i guess). the intention is to let you know,
    initially,<br>
    who issued the cert, but more importantly - if a cert you already<br>
    vetted manually on a site was replaced. the action to take based
    on<br>
    that is yours.<br>
    <br>
    Thank you, Ehud<br>
    <br>
    On 09/09/2011 11:14 AM, Adrien Lamothe wrote:<br>
    <span style="white-space: pre;">> Right. So, the problem on my
      end was:<br>
      > <br>
      > 1. I update Firefox. 2. Upon restarting Firefox, CertWatch
      informs<br>
      > me it wants to update certificates. 3. CertWatch then
      proceeds to<br>
      > pop up a procession of windows, each with cert data, each
      with "OK"<br>
      > and "Cancel" buttons. 4. I see contradictory information in
      the<br>
      > cert data. But I trust that CertWatch knows what it is
      doing (which<br>
      > it did.) However, CertWatch doesn't tell me it is
      de-verifying<br>
      > those certs, merely that it is updating them. Being the
      first time<br>
      > so many certs are updated since I installed CertWatch, I
      was<br>
      > unaware of what exactly it was doing to them, until I went
      into<br>
      > Firefox's "View Certificates" area to see they "could not
      be<br>
      > verified for unknown reasons." 5. I mention the
      contradictory data<br>
      > on this list, because I find it interesting.<br>
      > <br>
      > Perhaps CertWatch should add a notation during update<br>
      > notification, as to the nature of the update.<br>
      > <br>
      > <br>
      >
      ----------------------------------------------------------------------<br>
      ><br>
      > </span><br>
    *From:* Rick Moen <a class="moz-txt-link-rfc2396E" href="mailto:rick@linuxmafia.com"><rick@linuxmafia.com></a><br>
    <span style="white-space: pre;">> *To:* <a class="moz-txt-link-abbreviated" href="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a>
      *Sent:* Friday, September 9, 2011<br>
      > 10:27 AM *Subject:* Re: [conspire] Comodo-signed bogosity
      (was:<br>
      > DigiNotar Damage Disclosure)<br>
      > <br>
      > Quoting Adrien Lamothe (<a class="moz-txt-link-abbreviated" href="mailto:alamozzz@yahoo.com">alamozzz@yahoo.com</a><br>
      > <a class="moz-txt-link-rfc2396E" href="mailto:alamozzz@yahoo.com"><mailto:alamozzz@yahoo.com></a>):<br>
      > <br>
      >> Right. So what I was seeing, apparently, was CertWatch
      telling<br>
      >> me those certs had been marked as bad, only it wasn't
      apparent<br>
      >> that was what it was saying.<br>
      > <br>
      > Not sure what you saw, really.<br>
      > <br>
      > Just to elaborate on my comment to Ehud that there are
      always ways<br>
      > to tunnel traffic out past dumb corporate firewalling: <br>
      > <a class="moz-txt-link-freetext" href="http://sebsauvage.net/punching/">http://sebsauvage.net/punching/</a> <- Best and most
      thorough <br>
      > <a class="moz-txt-link-freetext" href="http://www.nocrew.org/software/httptunnel.html">http://www.nocrew.org/software/httptunnel.html</a> <br>
      > <a class="moz-txt-link-freetext" href="http://www.linuxhowtos.org/Security/sshproxy.htm">http://www.linuxhowtos.org/Security/sshproxy.htm</a><br>
      > <br>
      > <br>
      > _______________________________________________ conspire
      mailing<br>
      > list <a class="moz-txt-link-abbreviated" href="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a>
      <a class="moz-txt-link-rfc2396E" href="mailto:conspire@linuxmafia.com"><mailto:conspire@linuxmafia.com></a> <br>
      > <a class="moz-txt-link-freetext" href="http://linuxmafia.com/mailman/listinfo/conspire">http://linuxmafia.com/mailman/listinfo/conspire</a><br>
      > <br>
      > <br>
      > <br>
      > <br>
      > _______________________________________________ conspire
      mailing<br>
      > list <a class="moz-txt-link-abbreviated" href="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a> <br>
      > <a class="moz-txt-link-freetext" href="http://linuxmafia.com/mailman/listinfo/conspire">http://linuxmafia.com/mailman/listinfo/conspire</a></span><br>
    -----BEGIN PGP SIGNATURE-----<br>
    Version: GnuPG v1.4.11 (GNU/Linux)<br>
    Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a><br>
    <br>
    iQIcBAEBAgAGBQJOals4AAoJEAYu2FhJ51YkadkQAJyG9CQDPE03jmXoCWsiY/+R<br>
    Ciqm7Ql4WWdgu8uEbKaygljIk8FY+AEN5Wpa9nNGiCs5NM6GSLYwRlGIAH2rGgTf<br>
    JVjRzZFMICwyRLesNkIgv3ePvHPGyNqbgIbUerIYSNDqhQrqMRuJ+M81moDbxogn<br>
    3dFIeztuT81Q8hQdAl11U1ZYy9dLoHiPAxbJ16fCCuk3AhO0h8KSAiwIi+cMvBC6<br>
    XUFD+gSKjbprwWJ2FXJjy/oJYe8YmhVJiH4zNuHtBpzNOULGtaaImisZiOQJJ0jr<br>
    3YiL2OkWIFrpleRTaoq9xn6Yji9/1bT/hWVnUpZ0Css8dQHRksqTqDEQI1uB1ac5<br>
    aCH+L8w1Ov/rjVmwDbKoHl0mz10eNdudE8nxkS2DM+dYGYl/B1XNVH0aLmgW6hf8<br>
    lfGW1PlolS3MLeyTJt4rY/RLzTbVSshJOemu5l3sa2myuV9ByedhXBDkSPQzr+In<br>
    ygJ/Li9PAWZLZDgi3HSVolxLpoPSsZuWX/cUFHylYOfZDY/fqDK9iX6zNixzBoE9<br>
    fOSawZznQqyzBaV2r3QOPxYxCHRuJFsy1PwmWZ92f1WOIvMuHHX9sLZhdHy28hq4<br>
    +vkxy8o+97Doppjn/k4GYkLnK220ILKICjdcXJjgwUb8Qai/kvZBn1KyM9QlRMPp<br>
    yuRMTqe6dS6cHUZf+kaw<br>
    =nPIl<br>
    -----END PGP SIGNATURE-----<br>
    <br>
  </body>
</html>