[tor-relays] OT :Self-signed SSL certs - was - Re: Watching the attacks on my relay

mick mbm at rlogin.net
Sat Nov 9 16:32:05 UTC 2013

On Sat, 9 Nov 2013 21:30:13 +0600
Roman Mamedov <rm at romanrm.net> allegedly wrote:

> On Sat, 9 Nov 2013 12:50:18 +0000
> mick <mbm at rlogin.net> wrote:
> > I don't see any problem per se with a self-signed certificate on a
> > site which does not purport to protect anything sensitive (such as
> > financial transactions). The problem with this particular
> > certificate is that the common name identifier is both wrong (www)
> > and badly formattted (http://) But both of those errors can be
> > corrected very quickly.
> > 
> > Why pay a CA if you don't trust the CA model?
> If your primary objection is the need to pay for certificates (and
> not e.g. the possibility of CA itself being backdoored etc), then I'd
> suggest considering CACert[1]. It provides free wildcard certificates
> which are already trusted out of the box by some[2] FOSS operating
> systems such as Debian.
> I'd say it is better than trusting individual self-signed certs, and
> somewhat better than using your own root CA cert, since it saves the
> effort required to install your own CA on all machines you need to
> use it on.
> [1] http://www.cacert.org/
> [2] http://wiki.cacert.org/InclusionStatus


Paying for certificates is not my objection. My objection is to the
model which says that "if I give money to a commercial entity in
exchange for a certificate, that means that the trust chain is valid."

I've actually bought certificates for websites I managed in the past
and I am deeply unimpressed with the process. And, as you say, the cert
could be backdoored. There are a huge number of CAs from all over the
place in the default set shipped in ca-certificates - who do I trust? 

I have looked at CA-Cert in the past. They have the problem of very
limited acceptability

But as I said, in my particular case, my certs are there to protect my
credentials in transit. I don't have to care about whether others
trust me. So I don't need a CA. (Though if I did want others to trust
me, I'd probably use CAcert).



 Mick Morgan
 gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20131109/3c41fed9/attachment-0001.sig>

More information about the tor-relays mailing list