Nelson, I think you may want to qualify your message in this paragraph, so as to not mislead people who don't understand PKI very well.
As I'm sure most people on this list know, every Root CA certificate is a self-signed certificate. There is nothing inherently insecure about such certificates, or the ones they issue. It is the policies, procedures and technology used to protect the components of a PKI that make them secure or insecure (as some recent discussions on this list are highlighting). What makes self-signed *end-entity* certificates insecure is that RPs are required to make trust decisions about the certificate(s) with little or no knowledge about them. However, there are many situations where self-signed end-entity certs may be acceptable even in Production: point-to-point security between servers where the client and server are controlled by a single individual/group. Since this individual/group is/are the creators and relying parties themselves, as long as the components of their infrastructure are well-protected, these self-signed certs could be deemed secure. That said, any infrastructure that used PKCS components is better served building a PKI - no matter how small it may be - to manage the certs and the procedures used in managing them. Additionally, they should also use some hardware crypto module - smartcard, TPM or HSM - to protect the private-key of their certificates. If they do these two things and follow their self-directed policies and procedures with reasonable diligence, then I would argue that there is no difference between self-signed or public-CA issued certs. Arshad Noor StrongAuth, Inc. Nelson B Bolyard wrote: > The big warning paragraph that you quoted (and I snipped) is really trying > to warn against the use of certutil (or any tool that produces self-signed > certificates) for certificate issuance in production environments. The > page is explaining how to setup a very small scale CA using certutil for > use in very small scale test environments. The warning is intended to be > "If you use self-signed server certs in production, you'll be sorry!". > It doesn't say that very well. The warning sounds like it's saying > "certutil does a bad job of issuing self-signed certs", but that's not the > issue. Some people read it as if it is saying "don't use certutil for this, > but instead use some other tool like OpenSSL", and that's exactly the wrong > message. The message is: "don't use self-signed server certs in production. > The tool that makes them doesn't matter. Self-signed certs are bad for > production." _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
