Hi Simon,
> 1.- Certify endpoints. For this there must be an unbroken certificate > chain from a trusted CA down through 0 or more intermediate > certificates to the end certificate that is being used. For this > purpose Vilius is right, self-signed certificates are no use. Why would that be? For one, if I issued the certificate myself, I know the certificate, and if it is presented in its original form (which I can verify, since I know what is "good") the endpoint passes as valid. For seconds, man-in-the-middle attacks usually don't happen on a permanent basis. That means that if someone is evesdropping on your traffic, he will most probably do so intermittently, rather than all the time. Therefore the presented certificate will keep changing. If I accept one certificate for a specific endpoint, I get notified if this certificate supposedly changed and can inquire to the admin of the remote system if this is all right. While not automatic, the endpoint _is_ certified (or at least certifiable) nevertheless using self-signed certificates. You just have to do the checking yourself instead of leaving it to the machine, that's all. -- Mit freundlichem Gruß Alto Speckhardt mailto:a...@treadstone79.de TheBat v5.0.8
pgpbRxdufjebe.pgp
Description: PGP signature
________________________________________________________ Current beta is 5.0.6.1 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html