[jdev] self signed cert

Dave Cridland dave at cridland.net
Thu May 5 07:12:01 UTC 2016


On 5 May 2016 at 05:51, Marcel Waldvogel <marcel.waldvogel at uni-konstanz.de>
wrote:

> But then again, these days, self-signed certs have no advantage over
> CA-signed certs.
>

Not sure there's a "these days" about it. A full PKI has always had
advantages over self-signed; it's just that self-signed used to be
considered useless, and now isn't.

Whether the full PKI is a single TA or not is a whole *other* question,
though - if you're in a position to enforce a single CA across both clients
and servers, you're much better off. DANE gets quite close to this - as
close as is practical on the internet actually; we really need to start
deploying this.


>
> Viele Grüsse,
> -Marcel Waldvogel <https://me.uni.kn/marcel.waldvogel>
> (kurz&bündig)
>
> Am 04.05.2016 um 16:05 schrieb Dave Cridland <dave at cridland.net>:
>
>
>
> On 3 May 2016 at 19:10, Tomasz Sterna <tomek at xiaoka.com> wrote:
>
>> W dniu 03.05.2016, wto o godzinie 09∶40 -0700, użytkownik
>> lists at lazygranch.com napisał:
>> > I suspect you wouldn't want s2s to use a self signed cert, so
>> > allowing two level of verification (c2s and s2s) sounds complex. You
>> > fix one thing in software and you break something else.
>>
>> So, why would you allow self-signed on C2S?
>>
>> Why do you want to use encryption in the first place?
>> So, no one is able to read the conversation, right?
>> But self-signed cert does not give you this... Just a false illusion
>> that you are protected from evesdropping.
>> But self-signed does not protect you from man-in-the-middle attack, so
>> basically still anyone able to tap the wire your transmission is going
>> through is able to read it, with just slightly more effort.
>>
>>
> I used to agree with you, but I've changed my mind over the years - it
> turns out that because it forces an attacker to switch from passive
> eavesdropping to active MITM, this is a blocker for the majority of
> attackers, especially opportunistic or mass-surveillance actors.
>
> So a self-signed cert is better than no cert at all (even if you want
> something independently verifiable ideally).
>
>
>>
>> > I noticed the online documentation doesn't completely match the xml,
>> > but there are enough comments in the xml that I could get close to
>> > setting it up. It is just the certs that are confusing.
>>
>> Yeah. The real and up to date source of documentation are the comments
>> in the configuration files.
>>
>>
>> --
>>  /o__
>> (_<^' Practice is the best of all instructors.
>>
>>
>> _______________________________________________
>> JDev mailing list
>> Info: http://mail.jabber.org/mailman/listinfo/jdev
>> Unsubscribe: JDev-unsubscribe at jabber.org
>> _______________________________________________
>>
>>
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
>
>
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20160505/c56c083c/attachment.html>


More information about the JDev mailing list