On Thu, Sep 27, 2007 at 05:23:26PM +0200, Hanno B??ck wrote: > Well, I hope I don't have to tell that self-signed certs are not really good > security policy. Whether or not self-signed certs are secure or insecure depends entirely on your definition of 'secure'. - Is the traffic encrypted between your machine and the server? Always, regardless of it being a self-signed or self-CA, or external CA. - Can you be sure that there is no MITM attack? Only if you trust the CA _OR_ you know in advance the SSL fingerprint.
Knowing the SSL fingerprint is trivial, if you login to machines with SSH, you are be doing this every day. > I think most of you know that there's CAcert, a "free" certificate authority. > While it's sadly not free in a "free software" sense (their own software > isn't released under a free license, though I hope that will change at some > point in the future), it uses a web-of-trust-based concept for trust and > issues certificates with no costs. Go and read ALL of this bug: http://bugs.gentoo.org/show_bug.cgi?id=108944 Pylon and myself, as folk in favour of CA-Cert tried to get the ball rolling to get Organization-level certs from CACert. It seems to have long blocked on trustees and paperwork - both on our side, and on the side of CACert (Inclusion in Mozilla is blocking on the CACert internal audit). > I think compared to self-signed, having cacert-certificates would be a big > improvement. Many other free software projects (and more and more other > pages) use cacert, so it becomes more and more likely that people will > already have the cacert-root-cert installed. I don't agree that it's a big improvement. If you read the bug above, you'll note that we did at one stage have a 'Gentoo CA' that Infra ran for generating certs. -- Robin Hugh Johnson Gentoo Linux Developer & Infra Guy E-Mail : [EMAIL PROTECTED] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
pgpR1fxD9GfRh.pgp
Description: PGP signature
