usenet at janc.invalid
Tue Mar 10 00:34:38 CET 2009
Robert Kern wrote:
> On 2009-03-09 13:52, R. David Murray wrote:
>> The web _really, really_ needs some sort of mechanism for a site
>> to say "I'm not claiming anything about my identity, I'm just
>> providing you an https channel over which to talk to me
> If I don't claim an identity and provide a way for you to authenticate that
> claim, the channel is vulnerable to a man-in-the-middle attack and, therefore,
> is not secure. It would provide moderate protection against naive eavesdropping,
> though. Is that what you meant?
There might be a way to authenticate that claim: if you know who this site
is supposed to be owned by, you can call them and ask them to read the
fingerprint over the phone. Or they could print it on all their paper
communication, which would be even better.
Once (back in 2000) I had to order a signed certificate for a company that
didn't exist (yet), and to my surprise it worked (and this was from a very
well-known CA). That was the last day I really trusted certificates signed
by (most) commercial CAs...
So my conclusion is: the only way to be really sure if a certificate is good
is the same for both types (self-signed or signed by a "trusted" CA).
More information about the Python-list