Re: Gmail and SSL

[Valdis.Kletnieks () vt edu]

On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:

> I would say those claiming certificates from a public CA provide no
> assurance of authentication of server identity greater than that of a
> self-signed one would have the burden of proof to show that it is no
> less likely for an attempted forger to be able to obtain a false
> "bought" certificate from a public trusted CA that has audited
> certification practices statement,  a certificate improperly issued
> contrary to their CPS,  than to have created a self-issued false
> self-signed certificate.

There's a bit more trust (not much, but a bit) to be attached to a
cert signed by a reputable CA over and above that you should attach
to a self-signed cert you've never seen before.

However, if you trust a CA-signed cert more than you trust a self-signed
cert *that you yourself created*, there's probably a problem there someplace.

(In other words, you should be able to tell Gmail "yes, you should expect
to see a self-signed cert with fingerprint 'foo' - only complain if you
see some *other* fingerprint".  To the best of my knowledge, there's no
currently known attack that allows the forging of a certificate with a
pre-specified fingerprint.  Though I'm sure Steve Bellovin will correct
me if I'm wrong... :)

Attachment: _bin
Description: