On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote:
> >>someone like the FreeBSD Foundation as an appropriate body to own the 
> >>cert.
> >
> ><OT>
> >I would actually trust a self-signed cert by the FreeBSD security officer,
> >more then one by Verisign.
> of course.
> there is no need to have an "authority" to make key pairs, everybody do it 
> alone.
> actually i would fear using such keys because i'm sure such companies do 
> have a copy of both keys.

Out-of-band corroboration of a certificate's authenticity is kind of
necessary to the security model of SSL/TLS.  A self-signed certificate,
in and of itself, is not really sufficient to ensure the absence of a man
in the middle attack or other compromise of the system.

On the other hand, I don't trust Verisign, either.

I believe some steps are being made by the Perpsectives [1] project that
lead in the right direction [2].  Unfortunately, it's not available at
present for FreeBSD, because the Firefox plugin depends on a binary
executable compiled from C, and my (brief) discussion with one of the
people involved in the project about the potential of porting it to
FreeBSD didn't really bear fruit.

[1] http://www.cs.cmu.edu/~perspectives/index.html
[2] http://blogs.techrepublic.com.com/security/?p#571

Chad Perrin [ content licensed OWL: http://owl.apotheon.org ]
Quoth Anonymous: "Why do we never have time to do it right, but always
have time to do it over?"

Attachment: pgpdWFBWpraoO.pgp
Description: PGP signature

Reply via email to