-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 3/13/2009 10:38 AM, André Warnier wrote: > Unless I am mistaken, I don't think that using HTTPS in order to protect > the user-id/password from eavesdropping by some miscreant, you > necessarily have to have a Verisign certificate for each site. Correct. You need to use an SSL cert, but it doesn't need to be signed by a widely-trusted certificate authority. > Again unless I am mistaken, a CA-signed certificate is meant to be used > to reassure the client that he is really talking to the server you say > you are, and not some other impersonating phishing site. Again, correct. > But it is not a prerequisite for simply making a connection through HTTPS. Right, but it /is/ a prerequisite for most users not getting a scary "UNTRUSTED SECURITY CERTIFICATE" warning. It's too bad that, with the introduction of EV certs, the big CAs aren't just giving-away the old certs. Or, offering a super-low-cost certificate that says "this is really only good for channel encryption, we didn't do any checking into the legitimacy of this organization". - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkm6eHYACgkQ9CaO5/Lv0PC3YQCgtNnSZoK+9MrVZYD5zrfJ65mo g3kAn0h4yitFysnid4jq6dN70CRC7Ad0 =IsQQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org