[Dshield] Self-signed certificates (was: Re: ISP's That Ignore Abuse Reports)

jayjwa jayjwa at atr2.ath.cx
Wed Jun 15 11:19:27 GMT 2005


On Mon, 13 Jun 2005, Stephane Grobety wrote:

-> I would like to remember you that using self-signed certificate and
-> private CAs for anything but internal use is bad(tm).

My CA is better maintained that most. I've seen "server at example.com" on 
production sites and other such nonsense. Microsoft's own on one of their 
sites (can you find it?) lacks an issuer entirely. Very few know the 
purpose of a CRL. I issue my own certs, signed by that one, and all of my 
daemons, including my MTA, present one. Myself and those that visit my 
site or connect to my daemons have alot more trust and faith in myself 
than some company they've never meant, see, nor spoke with. I'm not 
against it, but simply because a big-name company changes $200+ for their 
signature does not a more secure server make. Certainly your browser 
alerted you to this, I've not seen one that did not. You then can make the 
choice yourself. Oddly enough, if it had been a plain old http connection, 
I doubt anyone would have said a word. The only pieces I had left out of 
that certificate where my state and city, which I thought was a bit 
personal to post in a very public place, but as my friend in the other 
thread has felt the need to announce this anyway, prehaps now I will 
include it.

I do not mind to connect to a site and see a self-signed cert, as long as 
it's done correctly. I've seen universities do it, commercial sites do it, 
special-interest groups do it, and so on down the line. Collect the root 
CA, verify it, and if it satisfies you put it with your others. It's not a 
Bad Idea, it's a matter of trust.

-- 
Confidentiality Notice: This email may contain confidential
and privileged information. If in the event that it does,
please send it back to me with a reply telling me how
stupid I am for sending confidential info to a public forum.



More information about the list mailing list