Re: Browser security warning

What a thread. I took a glance, but if I'm saying redundant things that 
have been dealt with, don't waste bandwidth saying redundant things to me. 


>    I can imagine four reasons why a site might rely on self-signed certs
> 
>   (1) The service is being tested and is not yet ready for deployment
>   (2) The administrator hasn't got the $20 to get a low-end CA cert.
>   (3) The administrator is only concerned about eavesdropping and
>      so believes a self-signed certificate is adequate.
>         (In reality, if an attacker can eavesdrop (s)he can probably
>         forge packets as well.)
>   (4) The administrator doesn't have the time/skills to install a
>       CA cert and figures that users will click through to the page
>       even if the cert is self signed.

You seem to be totally ignoring enterprise scenarios. I don't see why 
enterprises shouldn't use self signed certs for intra-enterprise 
applications. I see it as a hole in the trust management infrastructure 
that there are no tools for enterprises to administer certs to desktops, 
the same way they manage code updates to desktops. 

So, before reading the entire thread, I resist the notion that only 
pre-shipped CA certs are "good". It may be however that we can only make 
them usable by my mom. Who does not work for an enterprise. 

Welcome to the WG. 
        Mez

Received on Sunday, 31 December 2006 00:38:25 UTC