On Mon, 8 Jul 2002, Analysis & Solutions wrote: > Allow me to emphasize Richard's point about not trusting certificate > authorities. I have an SSL certificate. It was fairly simple to get, > despite several discrepancies in my documentation. > > While it made things easier for me, which I'm thankful for. Fortunately, > I'm a legitimate operator. But, it certainly demonstrates that subverting > the process for nefarious reasons is a piece of cake.
But you're both ignoring the actual significant point (which I already made at great length, and feel somewhat like a sap for repeating): Having a certificate signed by a recognized certificate authority provides at least some guarantee that you are communicating with the named party using somewhat reliable encryption. On the other hand, if you connect with a remote site that has a self-signed certificate, it's little better than using cleartext to port 80; almost anyone who would realistically have been in a position to snoop on your HTTP traffic is also in a position to intercept and decode your HTTPS traffic by masquerading as the remote host. So what's the point? Self-signed certificates only make sense if you able to securely distribute your signer's public key to your users in advance of the web transaction. This is fine for internal or staff use, but it is pretty unwieldy when you're dealing with the general public. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php