On 12/11/2010 9:14 PM, MFPA wrote: > But couldn't a man-in-the-middle server authenticate by presenting the > user's browser with an acceptable certificate signed by a "trusted" > CA? And is a self-signed certificate any more or any less secure in > this scenario?
The entire idea of a "self-signed certificate" is kind of a non sequitur. The question isn't whether a certificate is self-signed or signed by Verisign. The question is whether the certificate is signed by someone you trust. If you know the certificate issuer, you've verified the certificate fingerprint with the web site owner, etc., then you can use a self-signed certificate with great confidence. With respect to your hypothetical scenario, sure. Getting marks to trust people who plan on betraying that trust is a ploy that's about as old as the hills. I think Samson might have something to say about Delilah, and Holofernes' troops might have something to say about Judith, just to name two instances...
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
