1 |
On Thu, Sep 27, 2007 at 05:23:26PM +0200, Hanno B??ck wrote: |
2 |
> Well, I hope I don't have to tell that self-signed certs are not really good |
3 |
> security policy. |
4 |
Whether or not self-signed certs are secure or insecure depends entirely |
5 |
on your definition of 'secure'. |
6 |
- Is the traffic encrypted between your machine and the server? |
7 |
Always, regardless of it being a self-signed or self-CA, or external CA. |
8 |
- Can you be sure that there is no MITM attack? |
9 |
Only if you trust the CA _OR_ you know in advance the SSL fingerprint. |
10 |
|
11 |
Knowing the SSL fingerprint is trivial, if you login to machines with |
12 |
SSH, you are be doing this every day. |
13 |
|
14 |
> I think most of you know that there's CAcert, a "free" certificate authority. |
15 |
> While it's sadly not free in a "free software" sense (their own software |
16 |
> isn't released under a free license, though I hope that will change at some |
17 |
> point in the future), it uses a web-of-trust-based concept for trust and |
18 |
> issues certificates with no costs. |
19 |
Go and read ALL of this bug: |
20 |
http://bugs.gentoo.org/show_bug.cgi?id=108944 |
21 |
Pylon and myself, as folk in favour of CA-Cert tried to get the ball |
22 |
rolling to get Organization-level certs from CACert. It seems to have |
23 |
long blocked on trustees and paperwork - both on our side, and on the |
24 |
side of CACert (Inclusion in Mozilla is blocking on the CACert internal |
25 |
audit). |
26 |
|
27 |
> I think compared to self-signed, having cacert-certificates would be a big |
28 |
> improvement. Many other free software projects (and more and more other |
29 |
> pages) use cacert, so it becomes more and more likely that people will |
30 |
> already have the cacert-root-cert installed. |
31 |
I don't agree that it's a big improvement. If you read the bug above, |
32 |
you'll note that we did at one stage have a 'Gentoo CA' that Infra ran |
33 |
for generating certs. |
34 |
|
35 |
-- |
36 |
Robin Hugh Johnson |
37 |
Gentoo Linux Developer & Infra Guy |
38 |
E-Mail : robbat2@g.o |
39 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |