On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote: > >>someone like the FreeBSD Foundation as an appropriate body to own the > >>cert. > > > ><OT> > >I would actually trust a self-signed cert by the FreeBSD security officer, > >more then one by Verisign. > of course. > > there is no need to have an "authority" to make key pairs, everybody do it > alone. > > actually i would fear using such keys because i'm sure such companies do > have a copy of both keys.
Out-of-band corroboration of a certificate's authenticity is kind of necessary to the security model of SSL/TLS. A self-signed certificate, in and of itself, is not really sufficient to ensure the absence of a man in the middle attack or other compromise of the system. On the other hand, I don't trust Verisign, either. I believe some steps are being made by the Perpsectives [1] project that lead in the right direction [2]. Unfortunately, it's not available at present for FreeBSD, because the Firefox plugin depends on a binary executable compiled from C, and my (brief) discussion with one of the people involved in the project about the potential of porting it to FreeBSD didn't really bear fruit. NOTES: [1] http://www.cs.cmu.edu/~perspectives/index.html [2] http://blogs.techrepublic.com.com/security/?p#571 -- Chad Perrin [ content licensed OWL: http://owl.apotheon.org ] Quoth Anonymous: "Why do we never have time to do it right, but always have time to do it over?"
pgpdWFBWpraoO.pgp
Description: PGP signature