On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow <[email protected]> wrote: > goodness-scale (goodness to the left) > signed > self-signed > unsigned
Hi Chris, Self-signed and unsigned are identical. The "goodness" scale is: Encrypted & Verified (signed) > Encrypted Unsigned (or self-signed, same difference) > Unencrypted but physically protected > Unprotected > I don't think there's much disagreement about that... the sticky > wicket though is 'how much better is 'signed' vs 'self-signed' ? and I > think the feeling is that: I don't see how "feeling" plays into it. Communications using an unverified public key are trivially vulnerable to a man-in-the-middle attack where the connection is decrypted, captured in its unencrypted form and then undetectably re-encrypted with a different key. Communications using a key signed by a trusted third party suffer such attacks only with extraordinary difficulty on the part of the attacker. It's purely a technical matter. The information you're trying to protect is either sensitive enough that this risk is unacceptable or it isn't. That's purely a question for the information owner. No one else's opinion matters for squat. Regards, Bill Herrin -- William D. Herrin ................ [email protected] [email protected] 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
