"Self-signed certificate" means a certificate that is at the bottom of the chain: there is no higher (mixing my tops and bottoms here) authority that vouches for it.
Every CA root certificate is self-signed. (Who else would sign it? The Pope? Bill Gates? Stephen Hawking?) For a normal endpoint certificate you accept it because the CA certificate that is at the head of its authentication chain is pre-installed. For a self-signed certificate, that is the certificate itself. Every time you install a root certificate as trusted you are saying "I trust this certificate. We trust this certificate." That is equally true for a DigiCert certificate or a Foobar the CA certificate. There is nothing inherently wrong with self-signed certificates. Just like every other certificate -- if you are going to trust it you have to know what you are doing. Why should a particular CA be trusted? That is up to the trustor to decide. There is never any higher authority. (See above.) > What is the trail of authentication? ... Is it > merely that the CA vouches that your public key belongs to the > entity that once called itself "Charles Mills" and paid with a credit > card? Basically, yes. I would say "the CA vouches that the *subject name* in the certificate belongs to Charles Mills." (The certificate *has* a public key -- that key is part of the certificate and does not "belong to" anyone else. The owner of the certificate presumably has under safekeeping the corresponding private key.) Are CA's perfect? I don't *know* of a CA hack but I do know of (I should probably say "alleged") CA sloppiness: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Monday, August 31, 2020 7:47 AM To: [email protected] Subject: Re: setting up CSSMTP to use TLS-SSL On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wrote: >A self-signed certificate *is* a root certificate -- the two terms are >essentially synonymous (although they are used with different implications). >If the SMTP server is presenting a self-signed certificate then it effectively >is its own CA certificate, and you will have to install it in RACF. > What does "self-signed certificate" mean? Who should trust one? I'm imagining, in the extreme, a certificate self-signed by Guccifer 2.0. What is the trail of authentication? I understand you have a cert. What did you need to do to authenticate yourself to the CA? Is it merely that the CA vouches that your public key belongs to the entity that once called itself "Charles Mills" and paid with a credit card? And quis custodiet ipsos custodes? Why should a particular CA be trusted other than the authority of a higher CA? I understand there have been compromised CAs, by hacks rather than intrinsic fraud. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
