On Thu, Jun 19, 2008 at 12:37:17PM -0700, James G. Sack (jim) wrote:
I read some years ago that self-signed certs are more secure as the data
encrypted by certified keys are accessible to those with access to the
key data from the CA (e.g. - the feds).
I don't really see that argument. The overwhelming use of ssl certs is
to establish credible identity, I believe. If the top level root CA
certs have gu'ment fingers in them, then the only consequence is
questionable authenticity of root-signed certs or, I suppose, bogus
revocations.
Am I mistaken?
I would be concerned as to how a key is generated. If I generate my own
key, and ask the root CA to sign it, then I'm only using them to
authenticate my certificate. If their procedure requires them to generate
my key first, it could be a weak key in a way that wouldn't be easy for me
to detect. It would at least be a good sanity test to test the things that
are supposed to be prime for primality and probably that the factors are
safe primes and stuff like that.
Anybody ever gotten an official CA key? Did they generate the key, or do
they let you generate the key, and they then sign it as the service?
David
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
