Robert Kern wrote: > On 2009-03-09 13:52, R. David Murray wrote:
>> The web _really, really_ needs some sort of mechanism for a site >> to say "I'm not claiming anything about my identity, I'm just >> providing you an https channel over which to talk to me >> securely". > > If I don't claim an identity and provide a way for you to authenticate that > claim, the channel is vulnerable to a man-in-the-middle attack and, > therefore, > is not secure. It would provide moderate protection against naive > eavesdropping, > though. Is that what you meant? There might be a way to authenticate that claim: if you know who this site is supposed to be owned by, you can call them and ask them to read the fingerprint over the phone. Or they could print it on all their paper communication, which would be even better. Once (back in 2000) I had to order a signed certificate for a company that didn't exist (yet), and to my surprise it worked (and this was from a very well-known CA). That was the last day I really trusted certificates signed by (most) commercial CAs... So my conclusion is: the only way to be really sure if a certificate is good is the same for both types (self-signed or signed by a "trusted" CA). -- JanC -- http://mail.python.org/mailman/listinfo/python-list