nanog mailing list archives
Re: Gmail and SSL
From: Valdis.Kletnieks () vt edu
Date: Wed, 02 Jan 2013 07:53:28 -0500
On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:
I would say those claiming certificates from a public CA provide no assurance of authentication of server identity greater than that of a self-signed one would have the burden of proof to show that it is no less likely for an attempted forger to be able to obtain a false "bought" certificate from a public trusted CA that has audited certification practices statement, a certificate improperly issued contrary to their CPS, than to have created a self-issued false self-signed certificate.
There's a bit more trust (not much, but a bit) to be attached to a cert signed by a reputable CA over and above that you should attach to a self-signed cert you've never seen before. However, if you trust a CA-signed cert more than you trust a self-signed cert *that you yourself created*, there's probably a problem there someplace. (In other words, you should be able to tell Gmail "yes, you should expect to see a self-signed cert with fingerprint 'foo' - only complain if you see some *other* fingerprint". To the best of my knowledge, there's no currently known attack that allows the forging of a certificate with a pre-specified fingerprint. Though I'm sure Steve Bellovin will correct me if I'm wrong... :)
Attachment:
_bin
Description:
Current thread:
- Re: Gmail and SSL Christopher Morrow (Jan 01)
- <Possible follow-ups>
- Re: Gmail and SSL Keith Medcalf (Jan 01)
- Re: Gmail and SSL Christopher Morrow (Jan 01)
- Re: Gmail and SSL Matthew Palmer (Jan 01)
- Re: Gmail and SSL Mike Jones (Jan 01)
- Re: Gmail and SSL Jimmy Hess (Jan 02)
- Re: Gmail and SSL Scott Howard (Jan 01)
- Re: Gmail and SSL Keith Medcalf (Jan 01)
- Re: Gmail and SSL Valdis . Kletnieks (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Randy Bush (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Seth David Schoen (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Jimmy Hess (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Christopher Morrow (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)
- Re: Gmail and SSL George Herbert (Jan 02)