Fwd: Utility of self-signed certs - Re: Questions about legacy apps/req.c code

David von Oheimb dev at ddvo.net
Wed Dec 22 21:49:30 UTC 2021

Yeah, self-signed certs are absolutely useful - you just need to be very 
careful which ones you trust for what.

Such certs are widely used to provide trust anchor information, 
typically of root CAs,
but conceptually and pragmatically, as Jordan also stated below,
they can make much sense even for end entities, such as locally known 
and trusted servers or email users.

I spent quite some effort to get their (optional) acceptance re-enabled 
in Thunderbird:
but even one of their security(?) experts did not get my point and 
refused support.


On 22.12.21 22:13, Jordan Brown wrote:
> On 12/22/2021 1:08 PM, Philip Prindeville wrote:
>> I see there being limited application (utility) of self-signed certs, since they're pretty much useless from a security perspective, because they're unanchored in any root-of-trust.
> They're OK once you take a leap of faith, check the fingerprint, or 
> copy the certificate out of band.
> In some senses they are *better* than a CA-based cert, because once 
> established they are not vulnerable to CA compromise.
> -- 
> Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211222/4e1a4615/attachment.htm>

More information about the openssl-users mailing list