Re: Uses for self-signed certificates (Was: Browser security warning)

Stuart E. Schechter wrote:
>> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>> I have no problem turning on SSL any time at all provided that the user is
>>> not given a false sense of security. Don't show the padlock, maybe warn if
>>> the user actually typed in https://.
>> In this use case, the content is both encrypted and, "secure,"
>> for many reasonable definitions of secure.
> 
>    "Secure" is a meaningless word unless you say what it is secure against.

Yes, but the sentence above isn't meaningless is it? If it is, then
I'm surprised and appear to have lost some of my writing skills:-)

> What is the threat model under which you would say this meets a definition
> of secure?

There are a bunch of reasonable threat models, as I said above. I'm
sure you can think of one, but for the purposes of this discussion,
it doesn't matter in this case which one you pick.

S.

Received on Tuesday, 9 January 2007 16:37:05 UTC