[Dshield] Self-signed certificates (was: Re: ISP's That Ignore Abuse Reports)

Tom dshield at oitc.com
Wed Jun 15 23:29:28 GMT 2005


I agree with jayjwa and it should be noted that many governments 
(including US and US Military) are all self signed with no formal CA

Tom

At 7:19 AM -0400 6/15/05, jayjwa wrote:
>On Mon, 13 Jun 2005, Stephane Grobety wrote:
>
>-> I would like to remember you that using self-signed certificate and
>-> private CAs for anything but internal use is bad(tm).
>
>My CA is better maintained that most. I've seen "server at example.com" on
>production sites and other such nonsense. Microsoft's own on one of their
>sites (can you find it?) lacks an issuer entirely. Very few know the
>purpose of a CRL. I issue my own certs, signed by that one, and all of my
>daemons, including my MTA, present one. Myself and those that visit my
>site or connect to my daemons have alot more trust and faith in myself
>than some company they've never meant, see, nor spoke with. I'm not
>against it, but simply because a big-name company changes $200+ for their
>signature does not a more secure server make. Certainly your browser
>alerted you to this, I've not seen one that did not. You then can make the
>choice yourself. Oddly enough, if it had been a plain old http connection,
>I doubt anyone would have said a word. The only pieces I had left out of
>that certificate where my state and city, which I thought was a bit
>personal to post in a very public place, but as my friend in the other
>thread has felt the need to announce this anyway, prehaps now I will
>include it.
>
>I do not mind to connect to a site and see a self-signed cert, as long as
>it's done correctly. I've seen universities do it, commercial sites do it,
>special-interest groups do it, and so on down the line. Collect the root
>CA, verify it, and if it satisfies you put it with your others. It's not a
>Bad Idea, it's a matter of trust.
>
>--
>Confidentiality Notice: This email may contain confidential
>and privileged information. If in the event that it does,
>please send it back to me with a reply telling me how
>stupid I am for sending confidential info to a public forum.
>-------------- Sponsor Message ------------------------------------
>Join us at SANSFIRE 2005 in Atlanta!
>The Internet Storm Center Conference.
>Details: http://www.sans.org/sansfire2005
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list


-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
http://www.oitc.com/Antarctica/

PGP Public Keys available at:
<A HREF="ldap://keyserver.pgp.com/">PGP's Key Server</A>
<A HREF="http://www.oitc.com/OITC/PGPKeys.html">OITC's Public Key List</A>
14A7 A308 266A 3646 FBA8  9A86 E139 F108 B1BE 37BD



More information about the list mailing list