On Mon, 2012-09-10 at 10:26 +0200, Bastien Durel wrote:
Le dimanche 09 septembre 2012 Ã 22:40 -0400, Jeff Fortin a Ãcrit : As users (mostly) ignore security warnings[1], it should be useless, IMHO. SSH does not targets same users than browsers or mail readers, so users are more likely to read them. (And SSH keys doesn't expires, so you can keep fingerprints for ages) [1] http://lorrie.cranor.org/pubs/sslwarnings.pdf
Yep, after 20+ years as a System & Network Administrator I can tell you with complete certainty that 99.44% of users just-hit-accept when they see an invalid-certificate notice. The only solution is a policy which disables accepting untrusted certificates [and what a nightmare that is as there are *many* commerce sites that use expired or self-signed certificates </bangs_head_against_wall>]. There is no issue with how GNOME or Evolution manages certificates.
Attachment:
signature.asc
Description: This is a digitally signed message part