Regarding self-signed certs, Alexey and I had the following exchange... On 4/5/10 3:34 PM, Alexey Melnikov wrote: > Peter Saint-Andre wrote: > >> Given that a self-signed certificate can say *anything*, I don't know >> that it's helpful to enforce any rules about issuance and checking of >> self-signed certs. It's not as if any "certification" has taken place in >> this situation. >> > +1.
Someone named "ArkanaoiD" (how's that for identity? :) wrote: Well, when it comes to implementation we get *two* matching algorithms then, which is definitely no good. IMHO we don't necessarily get two matching algorithms -- it's just that the matching algorithm for self-signed certificates is not specified in this document. Given that we are trying to define best practices for secure authentication of application services, I don't think it makes a lot of sense to discuss self-signed certs. Bruno Harbulot wrote: I'm not sure this I-D should treat self-signed certs completely differently from CA-issued certs. Self-signed certs could be considered as a special case of CA-issued certs. And Bil Corry wrote: I agree. Isn't the distinction between CA-issued certs and self-signed certs more-or-less which CAs you choose to trust? Bruno and Bil, would you find it acceptable if this document simply does not mention self-signed certificates? We really are trying to limit the scope of this document to a very particular problem, but I'm quite open to discussing related problems in other documents. However, if it is going to be more confusing to say that self-signed certs are out of scope then I'd consider including some text about them. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
