| 1 |
On Thu, Sep 27, 2007 at 05:23:26PM +0200, Hanno B??ck wrote: |
| 2 |
> Well, I hope I don't have to tell that self-signed certs are not really good |
| 3 |
> security policy. |
| 4 |
Whether or not self-signed certs are secure or insecure depends entirely |
| 5 |
on your definition of 'secure'. |
| 6 |
- Is the traffic encrypted between your machine and the server? |
| 7 |
Always, regardless of it being a self-signed or self-CA, or external CA. |
| 8 |
- Can you be sure that there is no MITM attack? |
| 9 |
Only if you trust the CA _OR_ you know in advance the SSL fingerprint. |
| 10 |
|
| 11 |
Knowing the SSL fingerprint is trivial, if you login to machines with |
| 12 |
SSH, you are be doing this every day. |
| 13 |
|
| 14 |
> I think most of you know that there's CAcert, a "free" certificate authority. |
| 15 |
> While it's sadly not free in a "free software" sense (their own software |
| 16 |
> isn't released under a free license, though I hope that will change at some |
| 17 |
> point in the future), it uses a web-of-trust-based concept for trust and |
| 18 |
> issues certificates with no costs. |
| 19 |
Go and read ALL of this bug: |
| 20 |
http://bugs.gentoo.org/show_bug.cgi?id=108944 |
| 21 |
Pylon and myself, as folk in favour of CA-Cert tried to get the ball |
| 22 |
rolling to get Organization-level certs from CACert. It seems to have |
| 23 |
long blocked on trustees and paperwork - both on our side, and on the |
| 24 |
side of CACert (Inclusion in Mozilla is blocking on the CACert internal |
| 25 |
audit). |
| 26 |
|
| 27 |
> I think compared to self-signed, having cacert-certificates would be a big |
| 28 |
> improvement. Many other free software projects (and more and more other |
| 29 |
> pages) use cacert, so it becomes more and more likely that people will |
| 30 |
> already have the cacert-root-cert installed. |
| 31 |
I don't agree that it's a big improvement. If you read the bug above, |
| 32 |
you'll note that we did at one stage have a 'Gentoo CA' that Infra ran |
| 33 |
for generating certs. |
| 34 |
|
| 35 |
-- |
| 36 |
Robin Hugh Johnson |
| 37 |
Gentoo Linux Developer & Infra Guy |
| 38 |
E-Mail : robbat2@g.o |
| 39 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives