On 12/30/12, John Levine wrote:
> Do you ever buy SSL certificates? For cheap certificates ($9
> Geotrust, $8 Comodo, free Startcom, all accepted by Gmail), the
> entirety of the identity validation is to send an email message to an
> address associated with the domain, typically one of the WHOIS
>I would say those claiming certificates from a public CA provide no
>assurance of authentication of server identity greater than that of a
>self-signed one would have the burden of proof to show that it is no
>less likely for an attempted forger to be able to obtain a false
>"bought" certificate f
On 12/30/12, Keith Medcalf wrote:
> Your assertion that using "bought" certificates provides any security
> benefit whatsoever assumes facts not in evidence.
I would say those claiming certificates from a public CA provide no
assurance of authentication of server identity greater than that of a
s
While i will agree that the client being able to validate the certificate
directly is the best place to be, I do not see any advantage of requiring
purchased certificates over self-signed certificates. IMO it provides no
realistic security benefit at all.
Then again I don't award points for
c
On Sun, Dec 30, 2012 at 3:30 PM, Keith Medcalf wrote:
> Your assertion that using "bought" certificates provides any security benefit
> whatsoever assumes facts not in evidence.
>
> Given recent failures in this space I would posit that the requirement to use
> certificates purchased from entiti
Your assertion that using "bought" certificates provides any security benefit
whatsoever assumes facts not in evidence.
Given recent failures in this space I would posit that the requirement to use
certificates purchased from entities "under the thumb" of government control,
clearly motivated o
6 matches
Mail list logo
