On Tue, Mar 06, 2012 at 11:00:56PM +0000, James Harper wrote:
But I think there is a world of difference between trusting a self-signed cert and a cert that chains to a commercial CA.
Which do you trust more: 1. a certificate signed by a CA cert that was pre-installed into your OS or browser as a result of some corporate deal? 2. a certificate signed by a CA cert that you got directly from your correspondent and installed by you into your browser or OS? *THAT* is the sum total of the difference between a commercial cert and a self-signed cert. commercial CAs are, at best, just a convenience so ignorant end-users don't have to think about the issues involved. and convenience is the enemy of security. To me, 2. is far more worthy of my trust than 1., but I'd prefer an option 3 (which doesn't exist for ssl/tls AFAIK): 3. a certificate signed by several (the more the better) other certificates in a large web of trust. craig -- craig sanders <cas@taz.net.au> BOFH excuse #212: Of course it doesn't work. We've performed a software upgrade.