That seems odd. Are you saying that if the entire chain is on the server, up to and including a root certificate, the browser will not prompt for the use of an untrusted root cert? That seems both odd, and an utterly huge security hole... Robert -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Joshua Olson Sent: Friday, January 25, 2008 4:27 PM To: thelist at lists.evolt.org Subject: Re: [thelist] SSL Certificate Choices > -----Original Message----- > From: kasimir-k > Sent: Friday, January 25, 2008 5:54 PM > > Using a free certificate the visitors must usually excplictly > accept the CA as trusted. And if it is a site targeted to > general public, the browser popping up a question "do you > really trust this certificate authority?" does not appear > too trustworthy... I do not concur with the premise of this argument. Free or inexpensive certificates do not inherently present such a message--all that is required to avoid the message is to put the intermediate certificates (the whole chain) on the server. Check out alphaSSL. Joshua -- * * Please support the community that supports you. * * http://evolt.org/help_support_evolt/ For unsubscribe and other options, including the Tip Harvester and archives of thelist go to: http://lists.evolt.org Workers of the Web, evolt !