-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Witzel wrote: | Except when you have an independent means to verify that | a) the self-signed certificate which you received druing the handshake | comes from the entity which claims to be the originator | b) you also feel comfortable to trust this entity which issues its own | certificate | self-signed server certificates are essentially meaningless.
You can also receive the self-signed certificate through a separate, possibly trusted, channel. E.g., if you're a business that uses your own ssc internally you could put the cert on the media that contains your web browser installation images, etc. If it's your own application, you can take this a step further and put the ssc into the source code. I agree that ssc's provided by unknown parties at the time of use are worthless as a form of self-authentication, but that doesn't mean that there's *no* valid use for them. BTW, ss client certs are useful if you have some shared secret with the server. Sign the secret with the ssc, encrypt it with the server's public key, and the server can then cache that ssc as authentication for that client. It would be trivial to extend this protocol feed the ssc into an internal CA where it would be signed and returned to the client. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9tgx8mr0uXf8FxOURAmR5AKCH15zsAuv6UAnha3EN0M1HKleHCACgxrz5 XdeC8zeyPitQNfPsDPtkwLs= =ZTQ7 -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
