[liberationtech] self signing certs by default
Guido Witmond
guido at witmond.nl
Fri Mar 14 15:25:15 PDT 2014
On 03/14/14 22:45, John Adams wrote:
> You misunderstand the signing practice if you think this is a good idea.
I don't get it yet, in which part would I be getting wrong, the signing
of server certificates by CAs, or the DNSSEC/DANE part? Please elaborate.
>
> Granted, it provides a low level of encryption for clients but it does not provide Non-repudiability to those users, opening them up to MitM attacks.
I don't think non-repudiability is offered to users who connect to a
site with a server certificate. I believe one needs client certificates
and message signing for that.
Regards, Guido.
More information about the liberationtech
mailing list