Paul G. Allen wrote: > [EMAIL PROTECTED] wrote: >> The fact is many people think self-signed certs that make browsers give a >> warning message about them are *bugs* in a web app. >> >> Does this mean *every* little web app company needs to pay the >> "Verisign tax" >> to get their server keys signed by them? That's kind of depressing >> and against >> the values of the web it seems to me. >> > > I read some years ago that self-signed certs are more secure as the data > encrypted by certified keys are accessible to those with access to the > key data from the CA (e.g. - the feds). > > I never followed up on the story, nor have done any further research > into the credibility of the claim however. >
I don't really see that argument. The overwhelming use of ssl certs is to establish credible identity, I believe. If the top level root CA certs have gu'ment fingers in them, then the only consequence is questionable authenticity of root-signed certs or, I suppose, bogus revocations. Am I mistaken? Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
