Fwd: Utility of self-signed certs - Re: Questions about legacy apps/req.c code
David von Oheimb
dev at ddvo.net
Wed Dec 22 21:49:30 UTC 2021
Yeah, self-signed certs are absolutely useful - you just need to be very
careful which ones you trust for what.
Such certs are widely used to provide trust anchor information,
typically of root CAs,
but conceptually and pragmatically, as Jordan also stated below,
they can make much sense even for end entities, such as locally known
and trusted servers or email users.
I spent quite some effort to get their (optional) acceptance re-enabled
in Thunderbird:
https://bugzilla.mozilla.org/show_bug.cgi?id=1523130
<https://bugzilla.mozilla.org/show_bug.cgi?id=1523130>
but even one of their security(?) experts did not get my point and
refused support.
David
On 22.12.21 22:13, Jordan Brown wrote:
> On 12/22/2021 1:08 PM, Philip Prindeville wrote:
>> I see there being limited application (utility) of self-signed certs, since they're pretty much useless from a security perspective, because they're unanchored in any root-of-trust.
>
> They're OK once you take a leap of faith, check the fingerprint, or
> copy the certificate out of band.
>
> In some senses they are *better* than a CA-based cert, because once
> established they are not vulnerable to CA compromise.
> --
> Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211222/4e1a4615/attachment.htm>
More information about the openssl-users
mailing list