i have a question ragarding self-signed certificate

2006-10-13 Thread Chong Peng 
guys:

we all know that a ca-signed certificate can provide authentication because the 
ca is trustable, by using ca-signed certificate, one is saying i am somebady 
because the ca says so. but it seems that a self-signed certificate _cannot_ 
provide any authentication at all, because by using self-signed certificate, 
one is saying i am somebody because i say so. 

if my understanding is correct, then why self-signed certificate is still used?

thanks.

chong peng
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: i have a question ragarding self-signed certificate

2006-10-13 Thread Max Pritikin 


Recall that even the 'ca' certificate is ultimately self-signed. So  
your question is really about why some self-signed certificates are  
more trusted than others.


In some fashion you could ask this question about any typical 'brand  
name' store. Why is Store-X trusted more than Store-Y? Simply because  
more people (or at least the person in question) has more experience  
with Store-X. Similarly for any particular self-signed CA cert,  
although we replace experience here with 'it is already in my  
certificate store', it is more trusted if the client knows about it  
already.


Now what if Store-Y isn't a chain store. Instead it is a little local  
boutique? Perhaps there isn't a need/expectation that a brand name  
and national marketing campaign is required; but they'd still like  
people to recognize their letterhead. So a logo and a local 'brand'  
is all that is required.


Similarly if all I want is for people to recognize my self-signed  
certificate I don't really need a CA, a pki hierarchy and all that.  
One self signed certificate should be enough...


If I've made things confusing with my metaphor you could also just  
think about the model for ssh... it is often valuable just to be able  
to know you're communicating with the same person you communicated  
with last time.


- max

On Oct 13, 2006, at 5:02 PM, Chong Peng wrote:


guys:

we all know that a ca-signed certificate can provide authentication  
because the ca is trustable, by using ca-signed certificate, one is  
saying i am somebady because the ca says so. but it seems that a  
self-signed certificate _cannot_ provide any authentication at all,  
because by using self-signed certificate, one is saying i am  
somebody because i say so.


if my understanding is correct, then why self-signed certificate is  
still used?


thanks.

chong peng
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]