Certificate signed by an unknown authority issued by F-Secure Freedome Clients. Is this legitimate?

Shigster

 

Thanks

 

EDIT: Removed picture due to PII

Laksh

Hi Shigster,

 

Yes, it's completely legitimate.

 

By definition, a self-signed certificate is a certificate which has signed itself. Freedome uses a private certificate authority (CA) which signs the Freedome server certificates; so the server certs themselves are not technically self-signed.
 
All 3rd party CAs can potentially be either fooled, tricked, or pressured by a local government, to issue fraudulent certificates. It has happened many times, and CAs which were thought to be trustworthy have later turned up to not be trustworthy.
 
If Freedome used a public CA, our customers would have to trust both F-Secure and the Finnish legal system to be trustworthy, 'and' the 3rd-party CAs chosen by F-secure 'and' their local legal systems too. Since Freedome uses private CAs, the customer only needs to trust F-Secure and Finland. Freedome’s server CA, managed by F-Secure, does not take in certificate signing requests from other customers around the world, so it’ll be quite hard to fool it to sign fraudulent certificates.

Shigster

Can I get a response from F-Secure please?

Shigster

Thank you very much. I really appreciate the way you explained what was going on including the legal and political entanglements involved. Much of the time we don't see the bigger picture.