While i will agree that the client being able to validate the certificate directly is the best place to be, I do not see any advantage of requiring purchased certificates over self-signed certificates. IMO it provides no realistic security benefit at all.
Then again I don't award points for certificate verification having anything to do with identity verification of the remote party. In other words, if I didn't sign it then the certificate posseses no more validity than an ephemeral self-signed certificate. Of course, others are free to delude themselves with additional "theatrics" and false assumtions if they want to do so. Sent from Samsung Mobile -------- Original message -------- From: Christopher Morrow <[email protected]> Date: To: kmedcalf <[email protected]> Cc: [email protected],[email protected] Subject: Re: Gmail and SSL
