Fred K Ollinger on Tue, 28 Jan 2003 14:19:16 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSL Cert question


> The way to understand it is that, if you generate your own key set using
> OpenSSL and have peope using an SSL connection, they will be prompted
> trust you as who you are and also to Trust you as the certificate
> sourse.  If you use a Verisign Certificate, then you are identified as
> Verisign authenticated and trust source.

Which I think is silly b/c what's to stop someone from putting up a
javascript that says that it's from Verisign? At some point, they are
going to have to trust _you_, if it's not trusting your key, it's trusting
that you really got a key from Verisign.

There are probably ways of cryptographically proving that the keys are
only from Verisign, but I'm willing to bet that not only do most people
not know how to do that, but most of them have no reason to trust Verisign
over you.

So, make your own key.

Fred Ollinger
_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug