Message-Id:
<199306110711(_dot_)AA17869(_at_)mailsrvr(_dot_)az05(_dot_)bull(_dot_)com>
Date: 11 Jun 93 00:12:59 U
From: "Hoyt Kesterson"
<hoyt_kesterson(_at_)ppd-smtp(_dot_)az05(_dot_)bull(_dot_)com>
Subject: Re: (Non-PEM) self-signed certificate
but is that holder who I think it is?
[...]
So, is a self signed certificate a security risk? No, but trusting one is.
Your conclusion assumes that I have some contact with the person in
question besides via e-mail.
If I "met" the person through e-mail (or postings) and have communicated
only that way and if all of those messages had been signed by the same key
-- then if I get a self-signed certificate signed by the same key, I have
received *proof* that this certificate is really for that person. It is
totally trustable.
In this case, "that person" means literally "the person who knows the
private key to match this public one" -- it says nothing about the person's
name or occupation or employer -- or even about how many flesh-and-blood
humans constitute that "person". (Eg., the boss's secretary signs his
letters to some people; even writes them to some.)
For many of my e-mail contacts, this is a fair description. I have never
met the person, I probably never will and I really don't care who the
person's employer is, what the person does for a living or what the
person's name is on his/her birth certificate. All I care about is that
this is the same person I've been conversing with all this time.
- Carl