In article <[EMAIL PROTECTED]>, Neil Stevens <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thursday 11 November 2004 05:06 pm, Justin Karneges wrote: > > While JD's comments sum this up nicely, I just want to reiterate loudly > > that self-signed certificates alone truly are worthless. I'm not even > > talking about man in the middle attacks either. As a form of identity, > > a self-signed cert is as effective as the "From:" header in good old > > SMTP, and this would allow spammers to get right in and start faking > > domains. > > Wrong. If a certificate remains unchanged, then you know that as long as > it is unchanged, you're continuing to connect to the server you connected > to in the past. > > You can't know if there's a man-in-the-middle in progress when you first > connect, but if you're remembering certificate and someone tries one after > a while, you will be able to detect that. > > ssh does this, for example. Precisely. And one can argue that ssh is the most-used encryption technology on the planet. Perhaps "opportunistic cryptography" is not a bad model to follow? Even the IETF seems to be moving in the direction of recognizing reality on this issue -- see the "Better Than Nothing Security" BOF at IETF 61 this week: http://www.financialcryptography.com/mt/archives/000247.html#more Peter _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mail.jabber.org/mailman/listinfo/jdev
