Today using the version of Pidgin that came with Fedora 10 I received the following certificate prompt:
Accept certificate for ows.messenger.msn.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
The majority of cases of unknown certificate issuers are due to the chain of trust breaking down. This break down in the certificate chain is mainly caused by the software in question not including the intermediate certificate authorities certificates. Without these intermediate certificates the software can not verify through the certificate hierarchy up till the root certificate and therefore prompts the user about what to do.
The options I received in the Pidgin prompt were:
View certificate
Accept
Reject
Upon selecting “View certificate” I am presented with the following details:
Common name: ows.messenger.msn.com
Fingerprint (SHA1): a9:9c:2d:ee:4a:d1:c8:7d:a7:c5:c3:05:32:98:5f:ee:57:87:73:8a
Activation date: Tue Jan 29 14:37:21 2008
Expiration date: Wed Jan 28 14:37:21 2009
So far everything looks as it is a bona fide certificate but to verify the identity completely I load the page https://ows.messenger.msn.com/ in Firefox. As expected no certificate warnings were received and I opened the certificate viewer to see its details and confirmed the data matches up with the data received in Pidgin:
I can safely trust this certificate as Firefox has verified through the certificate chain that all intermediate certificates are valid too:
This certificate is simply used by Microsoft for the Live Messenger offline messaging service. Although you normally would trust verified certificates it did happen in the past that certificates were incorrectly issued to the wrong people. So always be cautious!