> The rather larger problem is that the little lock is generally presumed by > users to mean much more than it does. Emphasizing cert validity only > compounds the problem. As an example, after today I'd be rather more > concerned if I didn't get an unknown cert warning from a Debian site than > if I did.
Yes indeed. A web certificate, as it is used nowadays, will not do much more than get you privacy. It does not make the web site more or less secure (and I have already said that here). A self-signed is as good as one signed by a so-called trusted CA. What makes a specific public certificate more "trusted" is out-of-band check and validation (serial number, CN or DN verification, etc). A digital (public) certificate is nothing more than a public encryption key with some identifying data, signed by someone you do not know, but decided to trust. And, again -- it is not the web public certificate you trust, its the signer. You do not know anything about who is deploying this specific certificate, but *you* (or someone with the necessary power) decided the signer is trusted. Scott, methinks, is absolutely correct. But I doubt he, or I, or both of us, or whoever else, will be able to change the Way Things Are (TM). ..hggdh..
signature.asc
Description: This is a digitally signed message part
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
